MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054
SHA3-384 hash: dd13f4dc2291b7f56fd64217d23e4fb97c9020e90e30eab5bbb3ff8b9009d4b943a168912d29d78f686beff872aedb35
SHA1 hash: e041a949ab3fc29d76f68d9d7bacb5c6c4d6417c
MD5 hash: a741b652004cc3adcbc9cd821a87ecc8
humanhash: utah-mockingbird-orange-mobile
File name:themoph.tar
Download: download sample
Signature Amadey
Create hunting rule
File size:4'483'072 bytes
First seen:2024-10-19 14:16:29 UTC
Last seen:Never
File type: tar
MIME type:application/x-tar
ssdeep 98304:VwREisaU2lvzk1JDIuTmNNwcKi5rkTs0+:/isaU2lvzUD16Do
TLSH T1AE26D022F7C59422FC5F0632876AE28575FB69210362A9DB42D4A9BCCF341D01EBE753
TrID 62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3)
37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Magika tar
Reporter NDA0E
Tags:Amadey AutoIT DarkGate tar

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
NL NL
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:NETGATE Spy Emergency.exe
File size:4'481'314 bytes
SHA256 hash: 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
MD5 hash: 5298db7bfc6a857c39a87dd4d0ac7d87
MIME type:application/x-dosexec
Signature Amadey
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.SingleXOR.EXE.230.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.HEUR.Trojan.Script.Generic.27109.3620.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6712d52334f884d15c8ce383
Tags:
Powershell Autoit Emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit dotnet embarcadero_delphi fingerprint installer lolbin obfuscated overlay packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/6713bf5fc06827a6f6b055c8/reports/fbfe493f-1b90-46dd-ab0f-01199a443566/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
98%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054/
Threat name:
Win32.Trojan.DarkGate
Create hunting rule
Status:
Malicious
First seen:
2024-10-18 21:37:46 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aaud6mnltfh3eeivvqc4o3zrurku3yctzld2hidqxrutig4rybka._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:322a8d discovery persistence trojan
Link:
https://tria.ge/reports/241019-v1eb5sxhqa/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
http://152.89.198.124
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

tar 00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054

(this sample)

DarkGate

Executable exe a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd

Amadey

Executable exe 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d

  
Dropping
SHA256 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
  
URLhaus
https://urlhaus.abuse.ch/url/3242741/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3242977/
  
URLhaus
https://urlhaus.abuse.ch/url/3242978/
  
URLhaus
https://urlhaus.abuse.ch/url/3242979/
  
URLhaus
https://urlhaus.abuse.ch/url/3242989/
  
URLhaus
https://urlhaus.abuse.ch/url/3242990/
  
Dropping
MD5 5298db7bfc6a857c39a87dd4d0ac7d87

Comments