MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf
SHA3-384 hash: 1a46924662b2f63ab0a5ce12bec20a70d6de1df55ec53017cbfdfd5b8256137b07065ab4c39f5cd12f94dd5527379c48
SHA1 hash: d0f48a5761efbb38a4d195c69d6382b9e9748ed6
MD5 hash: 9adcb26071e8018dc0b576b39acb980e
humanhash: kilo-river-fanta-virginia
File name:9adcb26071e8018dc0b576b39acb980e.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:251'904 bytes
First seen:2023-01-13 20:45:28 UTC
Last seen:2023-01-13 22:48:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ff81011ab3449dee85df51db7b508091 (10 x Amadey)
ssdeep 6144:Qz8ZyCgsd7iPhN0H9VGTr/mf6AoqQu1ypaheC7lQ:8AAoEJ3/3AIu1yqeC
TLSH T19B3409217D26C031D660517729B9BFF2C19DA8259BB049DB7B800F7BDA122E63970E3D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://researchersgokick.rocks/7gjD0Vs3d/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9adcb26071e8018dc0b576b39acb980e.exe
Verdict:
Malicious activity
Analysis date:
2023-01-13 20:48:48 UTC
Tags:
trojan amadey opendir loader
Link:
https://app.any.run/tasks/4b16acd4-8337-4f38-8907-69b6e1e51bab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352749/
Detection(s):
SecuriteInfo.com.Variant.Barys.321153.5435.25124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a window
Creating a file
DNS request
Sending an HTTP POST request
Delayed reading of the file
Sending an HTTP GET request
Sending a custom TCP request
Adding an access-denied ACE
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60139/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
GetTempPath
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey barys greyware shell32.dll
Link:
https://www.filescan.io/uploads/63c1c30cacfeda6ef9c33fdd/reports/88767f33-2a7a-45d7-a01d-da7864487510/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c75a6f75-e862-439f-8dab-199c398d2603
Result
Threat name:
Amadey, EICAR
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151433
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected EICAR
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 784165 Sample: 66FKqaXJjL.exe Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 105 Multi AV Scanner detection for domain / URL 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for URL or domain 2->109 111 13 other signatures 2->111 10 66FKqaXJjL.exe 4 2->10         started        14 cmd.exe 2->14         started        16 powershell.exe 2->16         started        18 7 other processes 2->18 process3 file4 93 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 10->93 dropped 95 C:\Users\user\...\nbveek.exe:Zone.Identifier, ASCII 10->95 dropped 137 Contains functionality to inject code into remote processes 10->137 20 nbveek.exe 27 10->20         started        139 Uses powercfg.exe to modify the power settings 14->139 141 Modifies power options to not sleep / hibernate 14->141 25 conhost.exe 14->25         started        27 powercfg.exe 14->27         started        29 powercfg.exe 14->29         started        37 2 other processes 14->37 143 Creates files in the system32 config directory 16->143 31 conhost.exe 16->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        39 3 other processes 18->39 signatures5 process6 dnsIp7 97 104.244.79.187 PONYNETUS United States 20->97 99 107.189.7.245 PONYNETUS United States 20->99 101 2 other IPs or domains 20->101 79 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 20->79 dropped 81 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 20->83 dropped 85 3 other malicious files 20->85 dropped 121 Antivirus detection for dropped file 20->121 123 Multi AV Scanner detection for dropped file 20->123 125 Creates an undocumented autostart registry key 20->125 127 2 other signatures 20->127 41 installer.exe 20->41         started        45 rundll32.exe 20->45         started        47 rundll32.exe 20->47         started        49 6 other processes 20->49 file8 signatures9 process10 file11 87 C:\Users\user\AppData\Local\...\vxcykzlh.tmp, PE32+ 41->87 dropped 89 C:\...\SecurityHealthSystray.exe, PE32+ 41->89 dropped 91 C:\Windows\System32\drivers\etc\hosts, ASCII 41->91 dropped 129 Multi AV Scanner detection for dropped file 41->129 131 Writes to foreign memory regions 41->131 133 Modifies the context of a thread in another process (thread injection) 41->133 135 4 other signatures 41->135 51 dialer.exe 41->51         started        53 rundll32.exe 45->53         started        56 rundll32.exe 25 47->56         started        59 rundll32.exe 23 49->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        65 6 other processes 49->65 signatures12 process13 dnsIp14 113 System process connects to network (likely due to code injection or exploit) 53->113 115 Tries to steal Instant Messenger accounts or passwords 53->115 117 Tries to harvest and steal ftp login credentials 53->117 119 Tries to harvest and steal browser information (history, passwords, etc) 53->119 67 tar.exe 53->67         started        103 192.168.2.1 unknown unknown 56->103 69 tar.exe 56->69         started        71 tar.exe 59->71         started        signatures15 process16 process17 73 conhost.exe 67->73         started        75 conhost.exe 69->75         started        77 conhost.exe 71->77         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-01-09 07:48:30 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 35 (65.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bayqq43pdzgq7lscipgsqwidvezvqzn66zrdevfybc4ods7i6xhq._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan
Link:
https://tria.ge/reports/230113-zkafgadb78/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Amadey
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
hellomr.observer/7gjD0Vs3d/index.php
researchersgokick.rocks/7gjD0Vs3d/index.php
pleasetake.pictures/7gjD0Vs3d/index.php
Unpacked files
SH256 hash:
083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf
MD5 hash:
9adcb26071e8018dc0b576b39acb980e
SHA1 hash:
d0f48a5761efbb38a4d195c69d6382b9e9748ed6
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/00330558-ed85-40f0-a06e-f74e51ce2830/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/083108736f1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/083108736f1e4d0fae4243cd285903a9335865bef6623254b808b8e1cbe8f5cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352749/

Comments