MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c
SHA3-384 hash: 2180c9ac01220d4d351bbe63718e7cc51047bca25e0bc52fbffe1ffab0528db255bfb7ece443702b1c42dd71b97386cd
SHA1 hash: c7e720d43983353fd2728b03249ae689b1401360
MD5 hash: ae3f5573da344b46430e75c05b864db0
humanhash: cardinal-ink-stairway-august
File name:SecuriteInfo.com.Trojan.Siggen22.55359.19257.21303
Download: download sample
Signature Amadey
Create hunting rule
File size:5'370'560 bytes
First seen:2023-12-28 04:12:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ea02e00483c90b3f210e2d517ab619a (14 x Amadey, 2 x CoinMiner)
ssdeep 98304:x0ffNZyiLLIHChf0MC6VD1+wuDROFZR9T8KBD/hBBDNB2u/s1C8ljQ:xiyiYsc01QDsFZRN8wDPBbUU85Q
TLSH T15B46337CB08555E1E7F599B54A9EC8A24A11FDDE07121237B1ECAD072E320DE0B3E53A
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d0d8d8d0d8c8f0d0 (1 x Amadey)
Reporter SecuriteInfoCom
Tags:Amadey exe signed

Code Signing Certificate

Organisation:(C) 1998-2020 Logitech. All rights reserved.
Issuer:(C) 1998-2020 Logitech. All rights reserved.
Algorithm:sha1WithRSAEncryption
Valid from:2023-12-07T10:12:32Z
Valid to:2033-12-08T10:12:32Z
Serial number: 7512ce1765217a844e1b7a9084fbc3e3
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: eb6713a9cfe98c8d67262e2177d9726553023a0ce738d22f9d14eac8d1019f51
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
495
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
kelihos
Create hunting rule
ID:
1
File name:
bomb.exe
Verdict:
Malicious activity
Analysis date:
2023-12-27 18:00:23 UTC
Tags:
opendir hausbomber loader risepro stealer evasion metasploit kelihos trojan payload amadey botnet stealc lumma nanocore agenttesla purplefox backdoor guloader redline formbook spyware socks5systemz proxy dupzom
Link:
https://app.any.run/tasks/3895ca39-1624-4200-bebe-1b7152393dba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469489/
Detection(s):
SecuriteInfo.com.Trojan.Siggen22.55359.19257.21303.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file
Delayed reading of the file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching the process to change network settings
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmpress lolbin mpress overlay packed packed packed shell32
Link:
https://www.filescan.io/uploads/658cf5cfb855eb3693fd99b0/reports/fa3b0637-b279-4f8d-9fad-6206ba80f1ba/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82c0d34f-34c7-4052-b0f9-6cc4624fb397
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367565
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1367565 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 28/12/2023 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Antivirus detection for URL or domain 2->57 59 8 other signatures 2->59 10 SecuriteInfo.com.Trojan.Siggen22.55359.19257.21303.exe 4 2->10         started        14 Utsysc.exe 2->14         started        process3 file4 49 C:\Users\user\AppData\Local\...\Utsysc.exe, MS-DOS 10->49 dropped 71 Detected unpacking (changes PE section rights) 10->71 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->73 75 Query firmware table information (likely to detect VMs) 10->75 77 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->77 16 Utsysc.exe 19 10->16         started        79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->79 81 Hides threads from debuggers 14->81 83 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->83 signatures5 process6 dnsIp7 51 185.172.128.5, 49738, 49739, 80 NADYMSS-ASRU Russian Federation 16->51 41 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 16->41 dropped 43 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 16->43 dropped 45 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 16->45 dropped 47 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 16->47 dropped 61 Multi AV Scanner detection for dropped file 16->61 63 Detected unpacking (changes PE section rights) 16->63 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->65 67 7 other signatures 16->67 21 rundll32.exe 16->21         started        23 rundll32.exe 12 16->23         started        26 schtasks.exe 1 16->26         started        file8 signatures9 process10 signatures11 28 rundll32.exe 23 21->28         started        69 System process connects to network (likely due to code injection or exploit) 23->69 31 conhost.exe 26->31         started        process12 signatures13 85 Tries to steal Instant Messenger accounts or passwords 28->85 87 Uses netsh to modify the Windows network and firewall settings 28->87 89 Tries to harvest and steal ftp login credentials 28->89 91 2 other signatures 28->91 33 powershell.exe 26 28->33         started        35 netsh.exe 2 28->35         started        process14 process15 37 conhost.exe 33->37         started        39 conhost.exe 35->39         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-12-27 19:57:12 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bb4ahqprxd4se6f6rtrp622fdretwchkt4yv7msmwtk2mw7lnjoa._file
Verdict:
unknown
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey evasion trojan
Link:
https://tria.ge/reports/231228-es3rrsbbh4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://185.172.128.5
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/215b5128-e277-4545-abbc-e2cdf659db42/
SH256 hash:
205108f5dbdea4b76123a8b0b8b85b8964dc9b29738b577461e64ae0cce5c760
MD5 hash:
67ec4e4ade9c54f411d8932456774978
SHA1 hash:
a84d20a2df89c183663222ef8accdc169bb90351
Detections:
win_amadey
Create hunting rule
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/215b5128-e277-4545-abbc-e2cdf659db42/
SH256 hash:
087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c
MD5 hash:
ae3f5573da344b46430e75c05b864db0
SHA1 hash:
c7e720d43983353fd2728b03249ae689b1401360
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/215b5128-e277-4545-abbc-e2cdf659db42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 087803c1f1b8f92278be8ce2ff6b451c493b08ea9f315fb24cb4d5a65beb6a5c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2739361/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2744395/
  
URLhaus
https://urlhaus.abuse.ch/url/2733669/
  
URLhaus
https://urlhaus.abuse.ch/url/2737075/
Cape
Cape
https://www.capesandbox.com/analysis/469489/

Comments