MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec
SHA3-384 hash: 9453da6129e2d718fc0095d144e08c7cdbd2929d25ec78933400289bb37e5ffdf48e3da18fe7927a3457f6907e9666cb
SHA1 hash: ede108a6ee9563abd647cd899537112af435d064
MD5 hash: c276d66b18e21d2bcf60bd9658fa56bd
humanhash: violet-paris-juliet-georgia
File name:08451599.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:297'472 bytes
First seen:2023-05-27 13:32:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 697c6731df2df92c82c75859d21c5f77 (4 x Glupteba, 4 x Stop, 2 x Smoke Loader)
ssdeep 3072:L79SMv2BPsjIpx+8qbmU/R1rDJOqus7Voa9dGIwHr6T2+UDQMz0pUm5Q89yZ:H9SMvpjx8qblPkbMdNwHGT8z38
Threatray 1'014 similar samples on MalwareBazaar
TLSH T16E542A1392E17D94E9264E339E2EC6E8771FF6544E0937AA6218ABEF04F0172D173781
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b0b084c484a0c820 (1 x Amadey)
Reporter Neiki
Tags:Amadey

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
08451599.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 13:35:16 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/e0b30d71-ef41-48fa-8ec2-3ba30aad2740

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392543/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/6472068f57e1b57c0f58da4d/reports/17a3f70d-6280-437d-b84a-d13cb346d211/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ca5880d-432d-48fa-a5d8-b5c66fc202e0
Result
Threat name:
Amadey, Babuk, Djvu, Fabookie, SmokeLoad
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243810
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876821 Sample: 08451599.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 92 colisumy.com 2->92 94 api.2ip.ua 2->94 116 Snort IDS alert for network traffic 2->116 118 Found malware configuration 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 15 other signatures 2->122 11 08451599.exe 2->11         started        14 72B2.exe 2->14         started        16 jrrwfsu 2->16         started        signatures3 process4 signatures5 164 Detected unpacking (changes PE section rights) 11->164 166 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->166 168 Maps a DLL or memory area into another process 11->168 18 explorer.exe 12 40 11->18 injected 170 Detected unpacking (overwrites its own PE header) 14->170 172 Machine Learning detection for dropped file 14->172 174 Writes a notice file (html or txt) to demand a ransom 14->174 176 Injects a PE file into a foreign processes 14->176 23 72B2.exe 14 14->23         started        178 Multi AV Scanner detection for dropped file 16->178 180 Checks if the current machine is a virtual machine (disk enumeration) 16->180 182 Creates a thread in another existing process (thread injection) 16->182 process6 dnsIp7 96 187.232.244.143 UninetSAdeCVMX Mexico 18->96 98 shsplatform.co.uk 80.66.203.53 UKFASTGB United Kingdom 18->98 102 11 other IPs or domains 18->102 66 C:\Users\user\AppData\Roaming\jrrwfsu, PE32 18->66 dropped 68 C:\Users\user\AppData\Roaming\cdrwfsu, PE32 18->68 dropped 70 C:\Users\user\AppData\Local\Temp\F22F.exe, PE32 18->70 dropped 78 12 other malicious files 18->78 dropped 124 System process connects to network (likely due to code injection or exploit) 18->124 126 Benign windows process drops PE files 18->126 128 Deletes itself after installation 18->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->130 25 8803.exe 18->25         started        29 72B2.exe 18->29         started        31 E346.exe 18->31         started        33 5 other processes 18->33 100 api.2ip.ua 23->100 72 C:\Users\user\_readme.txt, ASCII 23->72 dropped 74 C:\Users\user\...\ChromeSetup.exe.vapo (copy), MS-DOS 23->74 dropped 76 C:\Users\user\Downloads\ChromeSetup.exe, MS-DOS 23->76 dropped 80 4 other malicious files 23->80 dropped 132 Modifies existing user documents (likely ransomware behavior) 23->132 file8 signatures9 process10 file11 86 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 25->86 dropped 88 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 25->88 dropped 90 C:\Users\user\AppData\Local\...90ewPlayer.exe, PE32 25->90 dropped 144 Antivirus detection for dropped file 25->144 146 Multi AV Scanner detection for dropped file 25->146 148 Machine Learning detection for dropped file 25->148 35 NewPlayer.exe 25->35         started        39 aafg31.exe 25->39         started        42 XandETC.exe 25->42         started        150 Detected unpacking (changes PE section rights) 29->150 152 Detected unpacking (overwrites its own PE header) 29->152 154 Injects a PE file into a foreign processes 29->154 44 72B2.exe 1 15 29->44         started        156 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->156 158 Maps a DLL or memory area into another process 31->158 160 Checks if the current machine is a virtual machine (disk enumeration) 31->160 162 Creates a thread in another existing process (thread injection) 31->162 46 7AAD.exe 33->46         started        48 BB35.exe 33->48         started        50 72B2.exe 33->50         started        52 2 other processes 33->52 signatures12 process13 dnsIp14 82 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 35->82 dropped 134 Antivirus detection for dropped file 35->134 136 Multi AV Scanner detection for dropped file 35->136 138 Machine Learning detection for dropped file 35->138 104 jp.imgjeoighw.com 103.100.211.218, 49728, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 39->104 106 ss.apjeoighw.com 154.221.31.191 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 39->106 110 6 other IPs or domains 39->110 140 Tries to harvest and steal browser information (history, passwords, etc) 39->140 108 api.2ip.ua 162.0.217.254, 443, 49706, 49708 ACPCA Canada 44->108 84 C:\Users\user\AppData\Local\...\72B2.exe, PE32 44->84 dropped 54 72B2.exe 44->54         started        57 icacls.exe 44->57         started        59 7AAD.exe 46->59         started        file15 signatures16 process17 signatures18 142 Injects a PE file into a foreign processes 54->142 61 72B2.exe 12 54->61         started        64 7AAD.exe 59->64         started        process19 dnsIp20 112 api.2ip.ua 61->112 114 api.2ip.ua 64->114
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-05-27 13:33:06 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bu7pnngpgfzbexocbcai2jbzfofd76nflmalqzqiyo6gslgrltwa._file
Verdict:
malicious
Similar samples:
3a7a5677e028001086397a06a1bcbcb964a43c9ef768eedd4f1211bc11b19817
Amadey
72fe96710a11c58cffc2a88f057a13d2651bd96397bc86a0f4cd85fcfd274535
Amadey
76ef5d1a33360d1e5e041111a7fbed2f2b07bd90f5ff4365bd423ba28fb544f0
Amadey
9e6cc7a86992947cb5dd8a26434fa6893d8462d646a3075bfeea7f15c333b2fa
Amadey
bb178f666699a5eba12b4e6eb3386cba3ccb030839252eb3cf2e6fb10140c6d7
Amadey
c62b3ddb8d5e3e5e9a642bf80628d67ea4068aab87b229c0e03094e099715c2e
Amadey
c6dd25dcabf4bcb343f25f084c237b432d2f1aef3600129f6f784cd2969645e6
Amadey
cc72645315b31d8414311a0a2b3ba505b4a65067b72364c3e9f48e1d066bda25
Amadey
cc86e630d4c4236ce2f4778b4f14c6984370c5b921d7ca0526bf2a5aac47247e
Amadey
ff2fd176bf9e9d4265296174c60132ee5238e4217e6b9b32a5e474cfad35ce66
Amadey
+ 1'004 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 botnet:summ backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230527-qtjk3aca47/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
45.9.74.80/0bjdn2Z/index.php
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d3ef6b4cf31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/392543/

Comments