MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc
SHA3-384 hash: 90d613dc1a83af520766a7e2de2ba7446c9e0165ce7421099f95a8004687bd1bf962e654f686eb6144043d941bc8db93
SHA1 hash: 4fa6468cd70687385c225f1500ae570102a4e370
MD5 hash: 46c3863c4f153d69dbf4d5bfbbc90a73
humanhash: lion-seven-friend-arizona
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'000'320 bytes
First seen:2024-12-15 10:56:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:hqfRikf1mVQKq9GM/4qQlc6eBhwMPsy1YtXA:hq5ikf1mVPq9J/ga6eBhwMP8
TLSH T11AD54B67E50576CFE48F33785827CE82695D03BA472108D3A81DA47EBFA3CCA19B5C19
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
538
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-15 10:59:05 UTC
Tags:
amadey botnet stealer loader lumma arch-exec stealc vidar telegram themida
Link:
https://app.any.run/tasks/a4fbef37-1982-41e5-abbf-ffb337f4a19f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.23135.5030.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675eb7848fb73f13afc97d21
Tags:
vmdetect autorun lien spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/675eb5fe49a3171a94277d1b/reports/79d29ab8-5579-47a8-88b9-d6690660915e/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/766f92ec-9cc8-4733-83f1-0a69d22048f0
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1575381
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575381 Sample: file.exe Startdate: 15/12/2024 Architecture: WINDOWS Score: 100 83 effecterectz.xyz 2->83 85 diffuculttan.xyz 2->85 87 11 other IPs or domains 2->87 105 Multi AV Scanner detection for domain / URL 2->105 107 Suricata IDS alerts for network traffic 2->107 109 Found malware configuration 2->109 113 17 other signatures 2->113 9 skotes.exe 2 35 2->9         started        14 file.exe 5 2->14         started        16 7bOe0mBZpcivp612.exe 2 2->16         started        18 2 other processes 2->18 signatures3 111 Performs DNS queries to domains with low reputation 85->111 process4 dnsIp5 99 185.215.113.43, 49748, 49754, 49776 WHOLESALECONNECTIONSNL Portugal 9->99 101 185.215.113.16, 49857, 49876, 49894 WHOLESALECONNECTIONSNL Portugal 9->101 103 2 other IPs or domains 9->103 59 C:\Users\user\AppData\...\b12a870d60.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\...\e145bb7f6e.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\...\f2cd5ac1bd.exe, PE32 9->63 dropped 75 9 other malicious files 9->75 dropped 149 Creates multiple autostart registry keys 9->149 151 Hides threads from debuggers 9->151 153 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->153 155 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->155 20 378e4894d2.exe 9->20         started        24 e145bb7f6e.exe 9->24         started        26 ShtrayEasy35.exe 2 9->26         started        37 3 other processes 9->37 65 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->65 dropped 67 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->67 dropped 157 Detected unpacking (changes PE section rights) 14->157 159 Tries to evade debugger and weak emulator (self modifying code) 14->159 161 Tries to detect virtualization through RDTSC time measurements 14->161 29 skotes.exe 14->29         started        69 C:\Users\user\...\xHdN9si8LjqmZs2y.exe, PE32 16->69 dropped 31 xHdN9si8LjqmZs2y.exe 1 16->31         started        71 C:\Users\user\...\WT0pal2n7uSoixsQ.exe, PE32 18->71 dropped 73 C:\Users\user\...\LOVI3rtjoHDpADyV.exe, PE32 18->73 dropped 33 WT0pal2n7uSoixsQ.exe 18->33         started        35 LOVI3rtjoHDpADyV.exe 18->35         started        file6 signatures7 process8 dnsIp9 89 deafeninggeh.biz 104.21.16.1, 443, 49791, 49935 CLOUDFLARENETUS United States 20->89 91 shineugler.biz 104.21.51.88, 443, 49777 CLOUDFLARENETUS United States 20->91 93 2 other IPs or domains 20->93 115 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->115 117 Machine Learning detection for dropped file 20->117 119 Tries to evade debugger and weak emulator (self modifying code) 20->119 121 Hides threads from debuggers 24->121 123 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->123 125 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 24->125 77 C:\Users\user\...\7bOe0mBZpcivp612.exe, PE32 26->77 dropped 39 7bOe0mBZpcivp612.exe 1 3 26->39         started        127 Antivirus detection for dropped file 29->127 129 Multi AV Scanner detection for dropped file 29->129 131 Detected unpacking (changes PE section rights) 29->131 139 2 other signatures 29->139 133 Found API chain indicative of debugger detection 31->133 43 WerFault.exe 31->43         started        45 WerFault.exe 33->45         started        47 WerFault.exe 35->47         started        79 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 37->79 dropped 81 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 37->81 dropped 135 Contains functionality to register a low level keyboard hook 37->135 137 Injects a PE file into a foreign processes 37->137 49 f2cd5ac1bd.exe 37->49         started        51 cmd.exe 37->51         started        53 conhost.exe 37->53         started        file10 signatures11 process12 dnsIp13 95 89.23.100.42, 49797, 49826, 49845 MAXITEL-ASRU Russian Federation 39->95 141 Antivirus detection for dropped file 39->141 143 Machine Learning detection for dropped file 39->143 145 Found API chain indicative of debugger detection 39->145 147 Creates multiple autostart registry keys 39->147 55 WerFault.exe 39->55         started        97 drive-connect.cyou 104.21.79.7, 443, 49890 CLOUDFLARENETUS United States 49->97 57 conhost.exe 51->57         started        signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-12-15 10:57:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvkrckk7c5gr6z7w2sifv4d5yc5wcblsg5dhh76xb35mctzgl7oa._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc family:xmrig botnet:9c9aa5 botnet:stok credential_access discovery evasion miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/241215-m188hstncl/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Windows security modification
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Xmrig family
xmrig
Malware Config
C2 Extraction:
http://185.215.113.43
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
https://shineugler.biz/api
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1b052c3-6524-4bc9-ba65-e93391a3d8ff
Unpacked files
SH256 hash:
8d473fac55a8bde4c59d8a0c9f43e3ed36d40f970994db69280f0264bd398798
MD5 hash:
242310a8c9fad223eb57e3f05afdd631
SHA1 hash:
99c935f7f56b372065cfc6a708caf46b8693b448
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/350e5960-62f0-4f3e-b197-3ac2babec59e/
SH256 hash:
0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc
MD5 hash:
46c3863c4f153d69dbf4d5bfbbc90a73
SHA1 hash:
4fa6468cd70687385c225f1500ae570102a4e370
Link:
https://www.unpac.me/results/350e5960-62f0-4f3e-b197-3ac2babec59e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 0d5511295f174d1f67f6d4905af07dc0bb610572374673ffd70efac14f265fdc

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/
  
URLhaus
https://urlhaus.abuse.ch/url/3338012/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments