MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64
SHA3-384 hash: b9ed6da9113a597f9ded4fcd225727db767bf25ff4d4fa733e22b5e9bbe5608dc1f269d631ef83d6bc8203099d13a601
SHA1 hash: 0140281245024b95c63ffc1170f8a55150815f52
MD5 hash: f98a1aa99f81b5f5de9afac96867c0a7
humanhash: mars-minnesota-uranus-cola
File name:0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64
Download: download sample
Signature Amadey
Create hunting rule
File size:7'343 bytes
First seen:2022-07-13 04:48:46 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 96:8jXLmDe29+8ZdJpIexkmEe29+8ZdJp1eLri6yAnYjgsjQiv7p:8jXIzezLlQiz
TLSH T157E1292CC98D4B2ED9B28B38D0D95202F4937D16363ECA06909F8362F753643E8DA75D
Reporter JAMESWT_WT
Tags:Amadey lnk

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://moscow13.at/rest/index.php https://threatfox.abuse.ch/ioc/831988/

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.PShellEncoderGamesTheMessage.20220523.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd cmd.exe evasive fingerprint greyware hidden packed powershell
Link:
https://www.filescan.io/uploads/62ce4efb8dab2096b9925853/reports/97d8a25c-d131-4c90-aa6b-8ad48866a852/overview
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029862
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 662356 Sample: d0byVm2wxm Startdate: 13/07/2022 Architecture: WINDOWS Score: 100 71 moscow12.at 2->71 89 Snort IDS alert for network traffic 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 12 other signatures 2->95 11 cmd.exe 1 2->11         started        14 bguuwe.exe 2->14         started        signatures3 process4 signatures5 119 Windows shortcut file (LNK) starts blacklisted processes 11->119 121 Suspicious powershell command line found 11->121 123 Very long command line found 11->123 16 powershell.exe 14 22 11->16         started        21 conhost.exe 1 11->21         started        process6 dnsIp7 69 facturacion.sat.gob.mx.in-arc.com 144.208.69.7, 49742, 80 IMH-WESTUS United States 16->69 57 C:\Users\user\AppData\Local\Temp\bluro.exe, PE32 16->57 dropped 59 C:\Users\user\AppData\Local\Temp\bluri.exe, PE32 16->59 dropped 85 Powershell drops PE file 16->85 23 bluro.exe 3 16->23         started        27 bluri.exe 10 16->27         started        file8 signatures9 process10 file11 61 C:\Users\user\AppData\Local\...\bguuwe.exe, PE32 23->61 dropped 105 Multi AV Scanner detection for dropped file 23->105 107 Detected unpacking (changes PE section rights) 23->107 109 Detected unpacking (overwrites its own PE header) 23->109 111 Contains functionality to inject code into remote processes 23->111 29 bguuwe.exe 17 23->29         started        63 C:\Users\user\AppData\...\sqlite.interop.dll, PE32 27->63 dropped 113 Windows shortcut file (LNK) starts blacklisted processes 27->113 115 Machine Learning detection for dropped file 27->115 117 Tries to harvest and steal browser information (history, passwords, etc) 27->117 34 cmd.exe 1 27->34         started        signatures12 process13 dnsIp14 79 moscow13.at 62.204.41.171, 49744, 49745, 49746 TNNET-ASTNNetOyMainnetworkFI United Kingdom 29->79 81 moscow12.at 64.44.102.207, 80 NEXEONUS United States 29->81 83 russk21.icu 29->83 65 C:\Users\user\AppData\Roaming\...\cred.dll, PE32 29->65 dropped 67 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 29->67 dropped 125 Windows shortcut file (LNK) starts blacklisted processes 29->125 127 Multi AV Scanner detection for dropped file 29->127 129 Detected unpacking (changes PE section rights) 29->129 131 3 other signatures 29->131 36 rundll32.exe 29->36         started        40 cmd.exe 1 29->40         started        42 schtasks.exe 1 29->42         started        48 2 other processes 29->48 44 conhost.exe 34->44         started        46 choice.exe 1 34->46         started        file15 signatures16 process17 dnsIp18 73 russk21.icu 36->73 75 moscow13.at 36->75 77 2 other IPs or domains 36->77 97 System process connects to network (likely due to code injection or exploit) 36->97 99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->99 101 Tries to steal Instant Messenger accounts or passwords 36->101 103 2 other signatures 36->103 50 reg.exe 1 40->50         started        53 conhost.exe 40->53         started        55 conhost.exe 42->55         started        signatures19 process20 signatures21 87 Creates an undocumented autostart registry key 50->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64/
Threat name:
Shortcut.Trojan.Powecod
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 15:05:15 UTC
File Type:
Binary
AV detection:
10 of 40 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjqigtt4v7pc5gwzxgnsmia263dykih2nqvnx3lkpkoddailpnsa._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220713-ffnyhsaahq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
An obfuscated cmd.exe command-line is typically used to evade detection.
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Malware Config
C2 Extraction:
russk21.icu/rest/index.php
moscow13.at/rest/index.php
moscow12.at/rest/index.php
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a60834e7caf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments