MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7
SHA3-384 hash: bb984e4ed02d3f2fc188bb6003130613b3ed27f328afacff20ddfd6a1f654578d55030cf7c0fbcd16659b0fb431ef9ec
SHA1 hash: 5f94408a89c401e2a3d7f59d03c1b98d68d855e2
MD5 hash: 1aaea333f1a2b0870df8c506b237eff7
humanhash: aspen-kitten-double-fanta
File name:1aaea333f1a2b0870df8c506b237eff7.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:327'680 bytes
First seen:2022-09-17 03:10:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aa29dbf77fdf0b871c93dceb04f86eca (1 x Smoke Loader, 1 x DCRat, 1 x Amadey)
ssdeep 6144:GfEB4rDaA1co4Ql1YDuYEktDiaAQq26IMJ7nzf5mMO+Cv4M60kWwU:Gu4z1coh3YDuYEktvZFyrrzPCZjknU
Threatray 469 similar samples on MalwareBazaar
TLSH T12A64AE11B690C035F0B712F44A7A83B8B52E7EA09B7454CF62D566EE5B34AE0EC3135B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 8178ecf0f8f0c8f0 (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://guideanceers.com/rTnS24/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://guideanceers.com/rTnS24/index.php https://threatfox.abuse.ch/ioc/850175/

Intelligence

File Origin
# of uploads :
1
# of downloads :
469
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
1aaea333f1a2b0870df8c506b237eff7.exe
Verdict:
Malicious activity
Analysis date:
2022-09-17 03:12:32 UTC
Tags:
trojan amadey loader stealer
Link:
https://app.any.run/tasks/6d5b5be8-0c7c-455b-854f-a53cf877e894

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310795/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Packed.Bandook-9958944-1
Create hunting rule

Win.Malware.Crypterx-9968570-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware lockbit packed smoke
Link:
https://www.filescan.io/uploads/63253b03ba7b8113dd6da920/reports/01064ada-9d56-42a7-b641-0fec078b26ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d023f9b-c053-4492-a1ff-537ab2ebb07c
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072069
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704611 Sample: Om02KVG2Ki.exe Startdate: 17/09/2022 Architecture: WINDOWS Score: 100 110 Snort IDS alert for network traffic 2->110 112 Multi AV Scanner detection for domain / URL 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 11 other signatures 2->116 10 Om02KVG2Ki.exe 4 2->10         started        14 Oobin.exe 2->14         started        16 Oobin.exe 2->16         started        18 rovwer.exe 2->18         started        process3 file4 78 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 10->78 dropped 80 C:\Users\user\...\rovwer.exe:Zone.Identifier, ASCII 10->80 dropped 126 Detected unpacking (changes PE section rights) 10->126 128 Detected unpacking (overwrites its own PE header) 10->128 130 Contains functionality to inject code into remote processes 10->130 20 rovwer.exe 1 23 10->20         started        132 Encrypted powershell cmdline option found 14->132 134 Modifies the context of a thread in another process (thread injection) 14->134 136 Injects a PE file into a foreign processes 14->136 25 powershell.exe 14->25         started        27 Oobin.exe 14->27         started        29 powershell.exe 16->29         started        signatures5 process6 dnsIp7 82 guideanceers.com 195.178.120.35, 49718, 49719, 49720 HEXAGLOBE-ASFR unknown 20->82 70 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 20->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\3d274f, PE32 20->72 dropped 74 C:\Users\user\AppData\Local\...\Oobin.exe, PE32+ 20->74 dropped 76 3 other malicious files 20->76 dropped 118 Multi AV Scanner detection for dropped file 20->118 120 Detected unpacking (changes PE section rights) 20->120 122 Detected unpacking (overwrites its own PE header) 20->122 124 4 other signatures 20->124 31 cmd.exe 1 20->31         started        33 Oobin.exe 14 4 20->33         started        36 rundll32.exe 20->36         started        39 schtasks.exe 1 20->39         started        41 conhost.exe 25->41         started        43 conhost.exe 29->43         started        file8 signatures9 process10 dnsIp11 45 rovwer.exe 13 31->45         started        48 taskkill.exe 1 31->48         started        50 conhost.exe 31->50         started        52 timeout.exe 1 31->52         started        94 Multi AV Scanner detection for dropped file 33->94 96 Machine Learning detection for dropped file 33->96 98 Encrypted powershell cmdline option found 33->98 108 2 other signatures 33->108 54 powershell.exe 33->54         started        56 Oobin.exe 33->56         started        84 192.168.2.3, 443, 49706, 49709 unknown unknown 36->84 86 guideanceers.com 36->86 100 System process connects to network (likely due to code injection or exploit) 36->100 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->102 104 Tries to steal Instant Messenger accounts or passwords 36->104 106 Tries to steal Mail credentials (via file / registry access) 36->106 58 conhost.exe 39->58         started        signatures12 process13 dnsIp14 90 guideanceers.com 45->90 92 192.168.2.1 unknown unknown 45->92 60 rundll32.exe 45->60         started        64 schtasks.exe 45->64         started        66 conhost.exe 54->66         started        process15 dnsIp16 88 guideanceers.com 60->88 138 System process connects to network (likely due to code injection or exploit) 60->138 140 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 60->140 142 Tries to steal Instant Messenger accounts or passwords 60->142 144 2 other signatures 60->144 68 conhost.exe 64->68         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 10:05:24 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=amq5uoc5lqb45iuhgfwkxoizabqm3ncevgawcipn5bxmgg6l7xdq._file
Verdict:
malicious
Similar samples:
129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92
Amadey
14ae647473cbf4def9becdbbb1f007fd8c96c63be5c88014415ab13e6467168f
Amadey
1e2e1fecda1667f10e086d9f86458dadf8ab19874abf16a36e669a6c87d845e8
Amadey
28c67cdcd4523ca934a1b72c6c8f5ed39874b6b8f66e3f679cb1095f859f6e83
Amadey
44dedf5b594d812b996aae7b28fd3489703842b05ff917403f879d728fe15ba0
Amadey
6e025a1d72e2abfb9c0fb6c945d3fcdbe2124c5d68d8f5fb09b8389bc30f799e
Amadey
727bc43e3d9cdf3e79c2232cf3f647bdf94ad2012c31403434c17e5bbeb3c339
Amadey
d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
Amadey
d3501787751324e615bd13ed80417360fbd7558385662ac34c51b34802f9b9d4
Amadey
f836093baf3255830126881722dc2edd86fd615fc922f86d177b0ccb0e3d2941
Amadey
+ 459 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/220917-dpk7wahae7/
Behaviour
outlook_win_path
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7c2946a1-3657-453f-bf81-030aacf90e4e
Unpacked files
SH256 hash:
5edcf8b31ce5ebcc11261a2a57c32155972e19d6c174435dd23a5eb0e9c77f89
MD5 hash:
c32413503be49c703591c2c78e89b582
SHA1 hash:
979746ed36603d9aa5d1c10422bbdf0d5dd6e740
Link:
https://www.unpac.me/results/9f8fec97-e1a3-40c7-b049-fec6f31bc5e7/
SH256 hash:
0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7
MD5 hash:
1aaea333f1a2b0870df8c506b237eff7
SHA1 hash:
5f94408a89c401e2a3d7f59d03c1b98d68d855e2
Link:
https://www.unpac.me/results/9f8fec97-e1a3-40c7-b049-fec6f31bc5e7/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0321da385d5c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/310795/
  
URLhaus
https://urlhaus.abuse.ch/url/2306434/
  
Delivery method
Distributed via web download

Comments