MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
SHA3-384 hash: aac8ab629b71af9dc7b310ded886175fae798809404dba21fb6d983616f85b63b4a09a3711762a4eb1325adea325046b
SHA1 hash: b14cd344e70a5fec100925d32d08399671e4f434
MD5 hash: fc8b4ad76d2b7b814f6fcaeed5d0af75
humanhash: earth-september-ink-romeo
File name:SecuriteInfo.com.Win32.Evo-gen.23207.8804
Download: download sample
Signature Amadey
Create hunting rule
File size:1'902'080 bytes
First seen:2024-06-14 17:26:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:z32SkrBRq+zNtYu3/UOXTqPsVNEYlv4jWBHSsY5B5AyZ:wrXtzL9vtqPuNEYliws
TLSH T15195339B9BDABB63D5ECD7F52F6D4280A32063CF071B51631652D87998972E2324B0CC
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2.exe
Verdict:
Malicious activity
Analysis date:
2024-06-14 17:27:15 UTC
Tags:
amadey botnet stealer loader risepro
Link:
https://app.any.run/tasks/2ca249a7-2d74-4e06-bae4-8b78f24dc5a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.23207.8804.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666c7f1f0f85a8479dc7214awin7simulatehigh_evasion
Tags:
Banker Stealth Crypt Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/666c7d7321581a92819d0043/reports/298a12db-cad6-4116-91d1-62f4228c4b25/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/82dd8566-4355-40c6-ae36-15225b06a88f
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457464
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457464 Sample: SecuriteInfo.com.Win32.Evo-... Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 88 ipinfo.io 2->88 90 db-ip.com 2->90 118 Snort IDS alert for network traffic 2->118 120 Antivirus detection for URL or domain 2->120 122 Antivirus detection for dropped file 2->122 124 11 other signatures 2->124 9 explortu.exe 1 23 2->9         started        14 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 5 2->14         started        16 MPGPH131.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 110 147.45.47.155, 49714, 49716, 49719 FREE-NET-ASFREEnetEU Russian Federation 9->110 112 77.91.77.81, 49715, 49717, 49720 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 9->112 74 C:\Users\user\AppData\...\4aa1876652.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\...\a3cd5393c1.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\Local\...\sarra[1].exe, PE32 9->78 dropped 86 4 other malicious files 9->86 dropped 160 Creates multiple autostart registry keys 9->160 162 Hides threads from debuggers 9->162 184 3 other signatures 9->184 20 b48a90224a.exe 4 9->20         started        24 explortu.exe 7 64 9->24         started        27 a3cd5393c1.exe 9->27         started        29 4aa1876652.exe 9->29         started        80 C:\Users\user\AppData\Local\...\explortu.exe, PE32 14->80 dropped 82 C:\Users\...\explortu.exe:Zone.Identifier, ASCII 14->82 dropped 164 Detected unpacking (changes PE section rights) 14->164 166 Tries to evade debugger and weak emulator (self modifying code) 14->166 168 Tries to detect virtualization through RDTSC time measurements 14->168 170 Potentially malicious time measurement code found 14->170 31 explortu.exe 14->31         started        172 Antivirus detection for dropped file 16->172 174 Multi AV Scanner detection for dropped file 16->174 176 Machine Learning detection for dropped file 16->176 84 C:\Users\user\...\CrJxKYEoBFPPmAg6JgIx_Fc.zip, Zip 18->84 dropped 178 Tries to steal Mail credentials (via file / registry access) 18->178 180 Found many strings related to Crypto-Wallets (likely being stolen) 18->180 182 Tries to harvest and steal browser information (history, passwords, etc) 18->182 33 WerFault.exe 18->33         started        file6 signatures7 process8 dnsIp9 62 C:\Users\user\AppData\Local\...\axplong.exe, PE32 20->62 dropped 134 Antivirus detection for dropped file 20->134 136 Detected unpacking (changes PE section rights) 20->136 138 Machine Learning detection for dropped file 20->138 154 3 other signatures 20->154 35 axplong.exe 20->35         started        104 147.45.47.126, 49718, 49725, 49767 FREE-NET-ASFREEnetEU Russian Federation 24->104 106 ipinfo.io 34.117.186.192, 443, 49721, 49763 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 24->106 108 db-ip.com 172.67.75.166, 443, 49723, 49768 CLOUDFLARENETUS United States 24->108 64 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 24->64 dropped 66 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 24->66 dropped 68 C:\Users\user\...\xuh99OyybEu3Z_H3Z9SUbhC.zip, Zip 24->68 dropped 72 2 other malicious files 24->72 dropped 140 Tries to steal Mail credentials (via file / registry access) 24->140 142 Found many strings related to Crypto-Wallets (likely being stolen) 24->142 144 Creates multiple autostart registry keys 24->144 38 schtasks.exe 1 24->38         started        40 schtasks.exe 1 24->40         started        42 WerFault.exe 24->42         started        70 C:\Users\user\...behaviorgraphCDgb2oYP3f4HqzxRCUeMWS.zip, Zip 27->70 dropped 156 2 other signatures 27->156 44 WerFault.exe 27->44         started        146 Binary is likely a compiled AutoIt script file 29->146 46 chrome.exe 29->46         started        148 Multi AV Scanner detection for dropped file 31->148 150 Found stalling execution ending in API Sleep call 31->150 152 Contains functionality to inject threads in other processes 31->152 158 3 other signatures 31->158 file10 signatures11 process12 dnsIp13 126 Antivirus detection for dropped file 35->126 128 Detected unpacking (changes PE section rights) 35->128 130 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->130 132 5 other signatures 35->132 49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        114 192.168.2.5, 443, 49705, 49707 unknown unknown 46->114 116 239.255.255.250 unknown Reserved 46->116 53 chrome.exe 46->53         started        56 chrome.exe 46->56         started        58 chrome.exe 46->58         started        60 2 other processes 46->60 signatures14 process15 dnsIp16 92 youtube-ui.l.google.com 142.250.184.206, 443, 49730 GOOGLEUS United States 53->92 94 www3.l.google.com 142.250.185.174, 443, 49764 GOOGLEUS United States 53->94 102 3 other IPs or domains 53->102 96 play.google.com 142.250.186.142, 443, 49782, 49785 GOOGLEUS United States 56->96 98 172.217.18.4, 443, 54778, 54902 GOOGLEUS United States 58->98 100 216.58.212.142, 443, 49816, 49817 GOOGLEUS United States 58->100
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2/
Threat name:
Win32.Spyware.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2024-06-14 14:50:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aiwhn4thodrgq23iu2hon3js2notgyyi32mvi46xbqcpdldpqpja._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:risepro botnet:0e6740 botnet:e76b71 evasion persistence stealer trojan
Link:
https://tria.ge/reports/240614-v1eb5stdpj/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
RisePro
Malware Config
C2 Extraction:
http://147.45.47.155
http://77.91.77.81
Unpacked files
SH256 hash:
a91489c4a98ebe7a1973425bcb4558f3739e6d84480c7e33798e634dbc5f0287
MD5 hash:
7d73c83e1648461edc06b9c0f4b97dd6
SHA1 hash:
5e02fd7b16207e17307a8cb491784cc342152785
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/580b9bed-b3c1-489d-b359-fefbb4b4d906/
SH256 hash:
022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
MD5 hash:
fc8b4ad76d2b7b814f6fcaeed5d0af75
SHA1 hash:
b14cd344e70a5fec100925d32d08399671e4f434
Link:
https://www.unpac.me/results/580b9bed-b3c1-489d-b359-fefbb4b4d906/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2888852/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888851/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments