MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
SHA3-384 hash: 13d63f813f7d94097917c25678785530212dca5e623dba8d8d5a68d4f5f8b3411dbe43cab107bd05007ab3fb0404d1e9
SHA1 hash: 86c47f8fc939e81d7ceba37f1824e22ce4ef1f43
MD5 hash: 22bf111e0ffbce40da98521c8ac390ac
humanhash: neptune-yankee-bravo-ack
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'248'128 bytes
First seen:2024-12-09 07:05:13 UTC
Last seen:2024-12-09 16:39:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 98304:pLPTyc5Jt2SKP64GsNe+WPvvFmuY6/JsYk:xTyc7me+W3v9Y6
TLSH T19BE54B51A50E62EBCD9B16B4802FCD42697D42BD47740EC3A85868BDBF63CCA17B7C24
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:Amadey atten-supporse-biz exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Z3E1W_file.exe
Verdict:
Malicious activity
Analysis date:
2024-12-09 06:53:11 UTC
Tags:
stealer stealc loader themida amadey botnet lumma
Link:
https://app.any.run/tasks/6ead56dc-f890-4579-9c5b-ae5ba1c08956

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.3448.30699.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675696defca9c44c2497aab1
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/675696dc29f8a29c48008ae2/reports/72780675-cca3-481d-83d9-3f12535a274c/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b95f2ad-2c89-446a-b895-28183988215b
Result
Threat name:
Amadey, Credential Flusher, DarkVision R
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1571262
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected DarkVision Rat
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571262 Sample: file.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 127 woo097878781.win 2->127 129 youtube.com 2->129 131 14 other IPs or domains 2->131 155 Multi AV Scanner detection for domain / URL 2->155 157 Suricata IDS alerts for network traffic 2->157 159 Found malware configuration 2->159 161 27 other signatures 2->161 11 skotes.exe 4 28 2->11         started        16 file.exe 5 2->16         started        18 skotes.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 143 185.215.113.43, 49754, 49764, 49777 WHOLESALECONNECTIONSNL Portugal 11->143 145 185.215.113.16, 49783, 49807, 49829 WHOLESALECONNECTIONSNL Portugal 11->145 147 31.41.244.11, 49766, 80 AEROEXPRESS-ASRU Russian Federation 11->147 111 C:\Users\user\AppData\...\6dce78ba2b.exe, PE32 11->111 dropped 113 C:\Users\user\AppData\...\b5c7128cd0.exe, PE32 11->113 dropped 115 C:\Users\user\AppData\...\2bd330404c.exe, PE32 11->115 dropped 121 7 other malicious files 11->121 dropped 217 Creates multiple autostart registry keys 11->217 219 Hides threads from debuggers 11->219 221 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->221 22 4ZAAIhb.exe 8 11->22         started        26 2bd330404c.exe 11->26         started        29 c92938c010.exe 11->29         started        37 2 other processes 11->37 117 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->117 dropped 119 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->119 dropped 223 Detected unpacking (changes PE section rights) 16->223 225 Tries to evade debugger and weak emulator (self modifying code) 16->225 227 Tries to detect virtualization through RDTSC time measurements 16->227 31 skotes.exe 16->31         started        229 Antivirus detection for dropped file 18->229 231 Multi AV Scanner detection for dropped file 18->231 233 Machine Learning detection for dropped file 18->233 235 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->235 237 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->237 33 firefox.exe 20->33         started        35 taskkill.exe 20->35         started        file6 signatures7 process8 dnsIp9 99 C:\Users\user\AppData\Local\Temp\...\D6E.bat, ASCII 22->99 dropped 163 Multi AV Scanner detection for dropped file 22->163 165 Machine Learning detection for dropped file 22->165 39 cmd.exe 2 22->39         started        133 185.215.113.206, 49827, 49880, 80 WHOLESALECONNECTIONSNL Portugal 26->133 101 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->101 dropped 103 C:\Users\user\AppData\...\mozglue[1].dll, PE32 26->103 dropped 105 C:\Users\user\AppData\...\freebl3[1].dll, PE32 26->105 dropped 107 5 other files (3 malicious) 26->107 dropped 167 Antivirus detection for dropped file 26->167 169 Detected unpacking (changes PE section rights) 26->169 171 Attempt to bypass Chrome Application-Bound Encryption 26->171 181 2 other signatures 26->181 43 chrome.exe 26->43         started        135 atten-supporse.biz 104.21.16.9, 443, 49799, 49806 CLOUDFLARENETUS United States 29->135 173 Query firmware table information (likely to detect VMs) 29->173 175 Found many strings related to Crypto-Wallets (likely being stolen) 29->175 183 2 other signatures 29->183 185 3 other signatures 31->185 137 youtube.com 142.250.181.78, 443, 49895, 49896 GOOGLEUS United States 33->137 139 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49897, 49909, 49910 GOOGLEUS United States 33->139 141 5 other IPs or domains 33->141 45 firefox.exe 33->45         started        47 firefox.exe 33->47         started        49 conhost.exe 35->49         started        177 Binary is likely a compiled AutoIt script file 37->177 179 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->179 187 3 other signatures 37->187 51 taskkill.exe 37->51         started        53 taskkill.exe 37->53         started        55 taskkill.exe 37->55         started        57 3 other processes 37->57 file10 signatures11 process12 file13 109 C:\Users\user\...\AutoRun_WindosCPUsystem.bat, DOS 39->109 dropped 189 Suspicious powershell command line found 39->189 191 Drops script or batch files to the startup folder 39->191 193 Adds a directory exclusion to Windows Defender 39->193 59 downloaded_file.exe 39->59         started        62 powershell.exe 23 39->62         started        64 powershell.exe 14 16 39->64         started        78 4 other processes 39->78 68 conhost.exe 51->68         started        70 conhost.exe 53->70         started        72 conhost.exe 55->72         started        74 conhost.exe 57->74         started        76 conhost.exe 57->76         started        signatures14 process15 dnsIp16 201 Multi AV Scanner detection for dropped file 59->201 203 Machine Learning detection for dropped file 59->203 205 Adds a directory exclusion to Windows Defender 59->205 215 2 other signatures 59->215 80 explorer.exe 59->80         started        84 cmd.exe 59->84         started        207 Found suspicious powershell code related to unpacking or dynamic code loading 62->207 209 Loading BitLocker PowerShell Module 62->209 211 Powershell drops PE file 62->211 123 woo097878781.win 154.216.20.243, 443, 49786, 49878 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 64->123 95 C:\Users\user\AppData\...\downloaded_file.bin, data 64->95 dropped 213 Found many strings related to Crypto-Wallets (likely being stolen) 64->213 97 C:\Users\user\AppData\...\downloaded_file.exe, PE32 78->97 dropped 86 net1.exe 1 78->86         started        file17 signatures18 process19 dnsIp20 125 185.157.162.216, 49888, 49917, 49925 OBE-EUROPEObenetworkEuropeSE Sweden 80->125 149 System process connects to network (likely due to code injection or exploit) 80->149 151 Maps a DLL or memory area into another process 80->151 88 explorer.exe 80->88         started        153 Adds a directory exclusion to Windows Defender 84->153 91 powershell.exe 84->91         started        93 conhost.exe 84->93         started        signatures21 process22 signatures23 195 System process connects to network (likely due to code injection or exploit) 88->195 197 Tries to harvest and steal browser information (history, passwords, etc) 88->197 199 Loading BitLocker PowerShell Module 91->199
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-12-09 07:06:45 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=au3mrgd3x5ghg3xb76v2bsy6kliwkjlu7s4avmkp67jduqhei2za._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc family:xmrig botnet:9c9aa5 botnet:stok discovery evasion execution miner persistence stealer trojan upx
Link:
https://tria.ge/reports/241209-hw3gyszrbw/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Power Settings
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Windows security modification
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Xmrig family
xmrig
Malware Config
C2 Extraction:
http://185.215.113.43
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/759b294f-e11d-415f-ab8c-9667bf6e3416
Unpacked files
SH256 hash:
c63bf10952f651329ac7c7a0c367c4146f423c73c8b55a7daeb1e9fb361890e9
MD5 hash:
584c4b1612f8b111bf9f42bf0f18bcc6
SHA1 hash:
bcfee093b0351780dee4dd2d892722e4deff7d2b
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/454001e3-a87a-4ab3-b6d7-948a7e71606a/
SH256 hash:
0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
MD5 hash:
22bf111e0ffbce40da98521c8ac390ac
SHA1 hash:
86c47f8fc939e81d7ceba37f1824e22ce4ef1f43
Link:
https://www.unpac.me/results/454001e3-a87a-4ab3-b6d7-948a7e71606a/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0536c8987bbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/
  
URLhaus
https://urlhaus.abuse.ch/url/3338012/
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments