MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3
SHA3-384 hash: dbf992a1293a7972d551e63036775645e9318059ec80a51f235f78c5ba218ad7549bf7744844f35a728991aded3b9a62
SHA1 hash: 1cadccca93db5e974ff4b282b05cddeeaaa655a1
MD5 hash: a835d4b5f9dbb0737eede28dade63297
humanhash: oregon-pizza-north-robert
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'922'048 bytes
First seen:2024-11-08 04:00:21 UTC
Last seen:2024-11-08 05:16:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:O9D3ngHAdLP7s3SkXU1DCF6cBliGFrd1glxpGfBh:OdQH0LP70Xm86gliOrHglDGfH
Threatray 1 similar samples on MalwareBazaar
TLSH T1099533741E7F257BD5B10171112806387B0802AAE9EE75BD06579BF03B37356C2AEEE1
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
419
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-08 04:05:24 UTC
Tags:
amadey botnet stealer stealc loader lumma possible-phishing themida
Link:
https://app.any.run/tasks/cc6c6369-18b3-4c4c-b463-eda26a8588a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.8736.26444.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672d8d0396bcb959b48d591f
Tags:
vmdetect autorun lien spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/672d8d0053112d61aaa93ebc/reports/c7f39bc4-08dc-4364-bc37-643cf867f158/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/83cb567a-542d-4904-8255-931d6e241f5e
Result
Threat name:
LummaC, Amadey, LummaC Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1551740
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Drops script at startup location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1551740 Sample: file.exe Startdate: 08/11/2024 Architecture: WINDOWS Score: 100 136 Multi AV Scanner detection for domain / URL 2->136 138 Found malware configuration 2->138 140 Antivirus detection for URL or domain 2->140 142 24 other signatures 2->142 10 axplong.exe 2 53 2->10         started        15 file.exe 5 2->15         started        17 Application.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 126 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->126 128 185.215.113.36 WHOLESALECONNECTIONSNL Portugal 10->128 98 C:\Users\user\AppData\...\3d3b106131.exe, PE32 10->98 dropped 100 C:\Users\user\AppData\...\f0cd2abec1.exe, PE32 10->100 dropped 102 C:\Users\user\AppData\Local\...\bqkriy6l.exe, PE32 10->102 dropped 108 23 other malicious files 10->108 dropped 172 Creates multiple autostart registry keys 10->172 174 Hides threads from debuggers 10->174 176 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->176 21 stealc_default2.exe 34 10->21         started        26 f86nrrc6.exe 10->26         started        28 e475dc68dc.exe 10->28         started        40 2 other processes 10->40 104 C:\Users\user\AppData\Local\...\axplong.exe, PE32 15->104 dropped 106 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 15->106 dropped 178 Detected unpacking (changes PE section rights) 15->178 180 Tries to evade debugger and weak emulator (self modifying code) 15->180 182 Tries to detect virtualization through RDTSC time measurements 15->182 30 axplong.exe 15->30         started        184 Antivirus detection for dropped file 17->184 186 Multi AV Scanner detection for dropped file 17->186 188 Contains functionality to start a terminal service 17->188 194 3 other signatures 17->194 32 AppLaunch.exe 17->32         started        34 AppLaunch.exe 17->34         started        190 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->190 192 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->192 36 EcoCraft.scr 19->36         started        38 EcoCraft.scr 19->38         started        file5 signatures6 process7 dnsIp8 120 185.215.113.17 WHOLESALECONNECTIONSNL Portugal 21->120 80 C:\Users\user\AppData\...\softokn3[1].dll, PE32 21->80 dropped 82 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 21->82 dropped 84 C:\Users\user\AppData\...\mozglue[1].dll, PE32 21->84 dropped 90 9 other files (5 malicious) 21->90 dropped 144 Multi AV Scanner detection for dropped file 21->144 146 Tries to steal Mail credentials (via file / registry access) 21->146 148 Found many strings related to Crypto-Wallets (likely being stolen) 21->148 164 6 other signatures 21->164 122 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 26->122 124 172.67.131.150 CLOUDFLARENETUS United States 26->124 150 Detected unpacking (changes PE section rights) 26->150 152 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->152 154 Query firmware table information (likely to detect VMs) 26->154 166 4 other signatures 26->166 86 C:\ProgramData\ogriIqEF\Application.exe, PE32 28->86 dropped 156 Contains functionality to start a terminal service 28->156 158 Writes to foreign memory regions 28->158 160 Injects a PE file into a foreign processes 28->160 42 AppLaunch.exe 28->42         started        46 AppLaunch.exe 28->46         started        49 AppLaunch.exe 28->49         started        162 Tries to evade debugger and weak emulator (self modifying code) 30->162 168 2 other signatures 30->168 88 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 40->88 dropped 51 cmd.exe 40->51         started        53 Gxtuum.exe 40->53         started        file9 signatures10 process11 dnsIp12 130 185.215.113.217 WHOLESALECONNECTIONSNL Portugal 42->130 132 185.156.72.65 ITDELUXE-ASRU Russian Federation 42->132 134 2 other IPs or domains 42->134 110 C:\Users\user\AppData\Local\...\te3tlsre.exe, PE32 42->110 dropped 112 C:\Users\user\AppData\Local\...\mixtwo.exe, PE32 42->112 dropped 114 C:\Users\user\AppData\Local\...\cdata.exe, PE32+ 42->114 dropped 118 3 other malicious files 42->118 dropped 55 cdata.exe 42->55         started        196 Creates HTML files with .exe extension (expired dropper behavior) 46->196 116 C:\Users\user\AppData\...\Jurisdiction.pif, PE32 51->116 dropped 198 Drops PE files with a suspicious file extension 51->198 200 Uses schtasks.exe or at.exe to add and modify task schedules 51->200 58 Jurisdiction.pif 51->58         started        61 conhost.exe 51->61         started        63 tasklist.exe 51->63         started        65 7 other processes 51->65 202 Contains functionality to start a terminal service 53->202 file13 signatures14 process15 file16 92 C:\Users\user\AppData\Local\...\cdata.dll, PE32+ 55->92 dropped 94 C:\Users\user\AppData\Local\...coCraft.scr, PE32 58->94 dropped 96 C:\Users\user\AppData\Local\...coCraft.js, ASCII 58->96 dropped 170 Drops PE files with a suspicious file extension 58->170 67 cmd.exe 58->67         started        70 cmd.exe 58->70         started        signatures17 process18 file19 78 C:\Users\user\AppData\...coCraft.url, MS 67->78 dropped 72 conhost.exe 67->72         started        74 conhost.exe 70->74         started        76 schtasks.exe 70->76         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-08 04:01:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=biecx6vu6eps4pd5ksd2cd5rhwbfcp4ey4utyjcpbvt2soivzhjq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3
Amadey
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:7c4393 botnet:default_valenciga botnet:fed3aa botnet:tale credential_access discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/241108-ek8caavfjg/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
Amadey family
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
http://185.215.113.16
http://185.215.113.206
https://founpiuer.store/api
https://respectabosiz.shop/api
https://worddosofrm.shop/api
https://mutterissuen.shop/api
https://standartedby.shop/api
https://nightybinybz.shop/api
https://conceszustyb.shop/api
https://bakedstusteeb.shop/api
https://moutheventushz.shop/api
http://185.215.113.17
http://185.215.113.217
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3cf9a5d1-1316-4d64-b156-a4b84f948f60
Unpacked files
SH256 hash:
bfca10f96f576490e0711d5a92e435dff839c49f6610dc5cf4b2d9ccee62e0c4
MD5 hash:
2dca6d72b350628a47dfd4c99146cf64
SHA1 hash:
ff0c8513ad85e8899ccda7ca0d7ac4c3918f3920
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/81845600-d2e7-43a5-82d8-f1ce86f6cc6c/
SH256 hash:
0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3
MD5 hash:
a835d4b5f9dbb0737eede28dade63297
SHA1 hash:
1cadccca93db5e974ff4b282b05cddeeaaa655a1
Link:
https://www.unpac.me/results/81845600-d2e7-43a5-82d8-f1ce86f6cc6c/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a082bfab4f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 0a082bfab4f11f2e3c7d5487a10fb13d82513f84c7293c244f0d67a93915c9d3

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067427/
  
URLhaus
https://urlhaus.abuse.ch/url/3273361/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments