MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290
SHA3-384 hash: fd06596808577ab15a9f196033eb60e01ab3345e8f4cb8b18d392bf7e9c8a6ea91be250cc0a0f02e274931b30ed5f5b6
SHA1 hash: a5b116f5801bd1adad5adc4f8da68aaaae565c98
MD5 hash: 57494e075f2db4e3b06f1772a106d1aa
humanhash: spaghetti-cold-fifteen-red
File name:57494e075f2db4e3b06f1772a106d1aa
Download: download sample
Signature Amadey
Create hunting rule
File size:6'107'136 bytes
First seen:2023-06-13 21:31:05 UTC
Last seen:2023-07-19 03:37:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 846876fcfaab8d0675698c01a809ad4d (1 x Amadey, 1 x CoinMiner, 1 x RedLineStealer)
ssdeep 98304:qoqwCSVZ/CBn6VqfRPsFfk/2LwgJzCpyUmdD3WV6O90dEC6KZ6YolvgFI48gQdz7:hqYVCBn6oJefe2LZzAm66jX/FAgW
Threatray 50 similar samples on MalwareBazaar
TLSH T12D56125F614CA358C01AC43C9123BD05B3B2611F8BF9A9BB71DBBAC07BAB710D546B46
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 8084e0e8e8e8e861 (1 x Amadey)
Reporter zbetcheckin
Tags:64 Amadey exe FruitMiX

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://globalafs.com/download/File_pass1234.7z
Verdict:
Malicious activity
Analysis date:
2023-06-13 20:21:14 UTC
Tags:
privateloader opendir evasion loader amadey trojan gcleaner smoke tofsee redline ransomware stop stealer vidar miner
Link:
https://app.any.run/tasks/142e399e-f83d-4a0f-a853-cf085e6f8c96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398486/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.32003.1070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Changing a file
Creating a window
Modifying a system file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Reading critical registry keys
Launching a process
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Launching a tool to kill processes
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90519/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin packed shell32.dll
Link:
https://www.filescan.io/uploads/6488e0548bd3eb76c8c65797/reports/0c2eaf4a-9b3b-43cb-9971-0c1a9e9e421c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/552ffbf9-5d66-4001-a172-9e8567afd3f2
Result
Threat name:
Amadey, Fabookie, Glupteba, Nymaim, Priv
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253925
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found C&C like URL pattern
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 886941 Sample: 1ufU1QgrDg.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 144 www.testupdate.info 2->144 146 files.testupdate.info 2->146 148 6 other IPs or domains 2->148 194 Snort IDS alert for network traffic 2->194 196 Malicious sample detected (through community Yara rule) 2->196 198 Antivirus detection for URL or domain 2->198 200 27 other signatures 2->200 11 1ufU1QgrDg.exe 11 53 2->11         started        16 svchost.exe 1 2->16         started        18 svchost.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 166 94.142.138.113, 49704, 80 IHOR-ASRU Russian Federation 11->166 168 85.217.144.228, 49714, 80 WS171-ASRU Bulgaria 11->168 170 16 other IPs or domains 11->170 136 C:\Users\...\wmpBdxCrScjHDxi1F2e9LwpJ.exe, PE32 11->136 dropped 138 C:\Users\...\unl4SGMGNPlYx3ZPvsGp5Ygw.exe, PE32+ 11->138 dropped 140 C:\Users\...\lVSgOMiwzoP6yv_Xn2p1zZoe.exe, PE32 11->140 dropped 142 20 other malicious files 11->142 dropped 230 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->230 232 May check the online IP address of the machine 11->232 234 Creates HTML files with .exe extension (expired dropper behavior) 11->234 238 3 other signatures 11->238 22 Ux3qKozepiZ1ucLKjNUalE1A.exe 11->22         started        25 JtZD_oVxtswLVWSYL4I57q9H.exe 11->25         started        27 Fg1sB7k7SvmMs1PNXDOsV1jW.exe 11->27         started        31 12 other processes 11->31 236 Query firmware table information (likely to detect VMs) 16->236 file6 signatures7 process8 dnsIp9 110 C:\Users\user\AppData\Local\Temp\ss41.exe, PE32+ 22->110 dropped 112 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 22->112 dropped 114 C:\Users\user\AppData\Local\...\2a344302.exe, PE32 22->114 dropped 33 2a344302.exe 22->33         started        36 newplayer.exe 22->36         started        39 ss41.exe 22->39         started        116 C:\Users\user\AppData\Local\...\is-AV1V8.tmp, PE32 25->116 dropped 42 is-AV1V8.tmp 25->42         started        172 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 27->172 174 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 27->174 180 2 other IPs or domains 27->180 118 C:\Users\...\TXoQJCOMciNnbD3ezQ3FyrjY.exe, PE32 27->118 dropped 120 C:\Users\user\AppData\Local\...\obins[1].exe, PE32 27->120 dropped 218 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->218 220 Disables Windows Defender (deletes autostart) 27->220 222 Disable Windows Defender real time protection (registry) 27->222 44 TXoQJCOMciNnbD3ezQ3FyrjY.exe 27->44         started        176 176.123.9.85 ALEXHOSTMD Moldova Republic of 31->176 178 5.42.94.169 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->178 182 8 other IPs or domains 31->182 122 C:\Zemana.sys, PE32+ 31->122 dropped 124 C:\Users\user\AppData\Local\...\Install.exe, PE32 31->124 dropped 126 2 other malicious files 31->126 dropped 224 Tries to harvest and steal browser information (history, passwords, etc) 31->224 226 Sample is not signed and drops a device driver 31->226 228 Tries to steal Crypto Currency Wallets 31->228 46 Install.exe 31->46         started        48 cmd.exe 31->48         started        50 taskkill.exe 31->50         started        52 5 other processes 31->52 file10 signatures11 process12 dnsIp13 184 Multi AV Scanner detection for dropped file 33->184 186 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->186 188 Maps a DLL or memory area into another process 33->188 192 2 other signatures 33->192 54 explorer.exe 33->54 injected 96 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 36->96 dropped 59 oneetx.exe 36->59         started        162 us.imgjeoigaa.com 39->162 164 as.imgjeoigaa.com 39->164 98 C:\Users\...\58444ea5acedeeba5411877846793674, SQLite 39->98 dropped 190 Tries to harvest and steal browser information (history, passwords, etc) 39->190 61 taskkill.exe 39->61         started        63 taskkill.exe 39->63         started        100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->100 dropped 102 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 42->102 dropped 104 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 42->104 dropped 108 6 other files (5 malicious) 42->108 dropped 65 Rec613.exe 42->65         started        106 C:\Users\user\AppData\Local\...\Install.exe, PE32 46->106 dropped 67 Install.exe 46->67         started        71 2 other processes 48->71 69 conhost.exe 50->69         started        73 2 other processes 52->73 file14 signatures15 process16 dnsIp17 150 109.98.58.98 RTDBucharestRomaniaRO Romania 54->150 152 37.34.248.24 GPRS-ASZAINKW Kuwait 54->152 160 4 other IPs or domains 54->160 128 C:\Users\user\AppData\Roaming\jggsrac, PE32 54->128 dropped 130 C:\Users\user\AppData\Local\Temp\F661.exe, PE32 54->130 dropped 204 System process connects to network (likely due to code injection or exploit) 54->204 206 Benign windows process drops PE files 54->206 208 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->208 210 Antivirus detection for dropped file 59->210 212 Multi AV Scanner detection for dropped file 59->212 214 Creates an undocumented autostart registry key 59->214 216 2 other signatures 59->216 75 cmd.exe 59->75         started        77 schtasks.exe 59->77         started        79 conhost.exe 61->79         started        81 conhost.exe 63->81         started        154 45.12.253.56 CMCSUS Germany 65->154 156 45.12.253.72 CMCSUS Germany 65->156 158 45.12.253.75 CMCSUS Germany 65->158 132 C:\Users\user\AppData\...\vyluXKqIeWC1n.exe, PE32 65->132 dropped 83 vyluXKqIeWC1n.exe 65->83         started        134 C:\Users\user\AppData\Local\...WKoOAK.exe, PE32 67->134 dropped file18 signatures19 process20 signatures21 86 conhost.exe 75->86         started        88 cmd.exe 75->88         started        90 cacls.exe 75->90         started        94 4 other processes 75->94 92 conhost.exe 77->92         started        202 Multi AV Scanner detection for dropped file 83->202 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 17:54:16 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bigfbw6f2deycg75avjn3udv4dq56lhqobe4yvdoih436cglqkia._file
Verdict:
malicious
Similar samples:
0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd
Amadey
3938e9e23562cf722e3bb98f6289351ff1ce0938f65177d3b581de5c763e90c4
Amadey
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
Amadey
55a882d3e119f17163a14f13175f7903a6321da1ac565b7e120d0db59b2b394e
Amadey
733501d537884cca4a051c6669c594411f55c910a4b71a0d31e5c622641b841d
Amadey
b02a4cdd494c1e0963f824ecaf7d676f3c1572be89ddd7e89c79b5f16bdebd94
Amadey
b9736626a522b3d6301ede70895f1ffbb592d88b2f9e7a9908797e0a0249b00c
Amadey
bf8177e0d9fec8768807b4a379c97a4faeb7f4183e564513a734005addfe7ec0
Amadey
c18415546f1a158b94e80c25aee66e2094f658a0c7e2301600951496d56bc7a1
Amadey
e31e544efa2ec5206c6e96340a4d85282ac0dfce7f96134965c2f576a71d07d6
Amadey
+ 40 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230613-1dlqlacc3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290
MD5 hash:
57494e075f2db4e3b06f1772a106d1aa
SHA1 hash:
a5b116f5801bd1adad5adc4f8da68aaaae565c98
Link:
https://www.unpac.me/results/9333a7b9-6b3e-4bed-9af0-aa116bdd798f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a0c50dbc5d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2659566/
Cape
Cape
https://www.capesandbox.com/analysis/398486/

Comments


Avatar
zbet commented on 2023-06-13 21:31:06 UTC

url : hxxp://163.123.143.4/download/WWW14_64.exe