MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash:	05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1
SHA3-384 hash:	507dbcf7fb417c83d44b1bf5f3a4b8da8d56002c050a068e1d46f658aa94ae48b7e7bbbb7658845398d5fab3553899cc
SHA1 hash:	8ea79e0e0523e9b7d1993ab08408d3b369c2a802
MD5 hash:	a76608f42563198c86f4a7f10ea910cc
humanhash:	undress-video-double-quiet
File name:	a76608f42563198c86f4a7f10ea910cc.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	383'488 bytes
First seen:	2022-05-27 14:21:01 UTC
Last seen:	2022-05-27 14:45:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	151adccff5e70213fb31de55ca880f7e (6 x RedLineStealer, 2 x Smoke Loader, 1 x Amadey)
ssdeep	6144:AEoO9umboh5zS8mJWHiePpHhrrJYyigaJwVf2:+O9joTz9tieBHhrry3p
Threatray	675 similar samples on MalwareBazaar
TLSH	T1EF84E040F790C870E45A1E344464DBB25B3BB8626A709507F7949B6F1EB33D09AB732B
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
31.41.244.109:3590

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
31.41.244.109:3590	https://threatfox.abuse.ch/ioc/642255/

Intelligence

File Origin

# of uploads :

# of downloads :

335

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a76608f42563198c86f4a7f10ea910cc.exe

Verdict:

No threats detected

Analysis date:

2022-05-27 14:21:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ad938871-b98a-4622-9100-4cd5a8d4fd00

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274966/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.33190.11030.1422.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Blocking the Windows Defender launch

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6290de8d3223462f89e55854/reports/ea2da453-e3b8-4d83-aafd-5b69670ab0cb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

silver implant

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/229dce3d-2e74-4125-a2fc-82d14dac6038

Result

Threat name:

PrivateLoader, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1002675

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Disable Windows Defender real time protection (registry)

Found C&C like URL pattern

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected PrivateLoader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-05-19 00:29:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=awrqfc6e6eh7god3jbwboely67k2jbsn4wpwne6s3s624a2yediq._file

Verdict:

malicious

Amadey

30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6

Amadey

3fdf21f7ad2430c552a8dc34c6fbaf82d95a0f44b9a7bd514d89ad3d074d345f

Amadey

56a34b76ba7c81e554eeb1dcfe93a6d0f61103536f9a0387fb220768bd2149df

Amadey

80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de

Amadey

81ec5293c1be63d2bdb173f258830914b3dfd094159211f1703b4666eeca1cbc

Amadey

+ 665 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:amadey family:djvu family:redline family:vidar botnet:937 botnet:@humus228p botnet:install botnet:ruzkiunikalno discovery evasion infostealer ransomware spyware stealer suricata themida trojan upx vmprotect

Link:

https://tria.ge/reports/220527-rnzkrsbda3/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

VMProtect packed file

Vidar Stealer

Amadey

Detected Djvu ransomware

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine Payload

Vidar

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

Malware Config

C2 Extraction:

193.233.48.58:38989
31.41.244.109:3590
185.215.113.38/f8dfksdj3/index.php
https://t.me/hyipsdigest
https://mastodon.online/@ronxik13
http://ugll.org/test3/get.php
185.215.113.24:15994

Unpacked files

SH256 hash:

eaac934eb8c0d46762dcfe0aacc02969ea1514f31ada9f4d5849da0518d0f725

MD5 hash:

923b24e40767143bbcdb6450e77353bc

SHA1 hash:

f9437a36bb01a0d9cd668ef2669bb3b627fd4116

Link:

https://www.unpac.me/results/4b6a5e9d-79cf-440d-9aed-3f073c252468/

SH256 hash:

05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1

MD5 hash:

a76608f42563198c86f4a7f10ea910cc

SHA1 hash:

8ea79e0e0523e9b7d1993ab08408d3b369c2a802

Link:

https://www.unpac.me/results/4b6a5e9d-79cf-440d-9aed-3f073c252468/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05a3028bc4f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_DLInjector06 Create hunting rule
Author:	ditekSHen
Description:	Detects downloader / injector

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample