MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de
SHA3-384 hash: 33d3d6af9710eac37ee2d9ce81ab57be357ed49e72bff8ac7e96aa9ed41bf7b716a3e1fbc585bf4b47d87e12b18a55e8
SHA1 hash: d35920fb066076b09bec255f4521aed4ab8918cc
MD5 hash: 9715d63d92cd5ebcc3f6c5cb50bd461f
humanhash: blue-july-uranus-emma
File name:tmpA37F.bin
Download: download sample
Signature Amadey
Create hunting rule
File size:402'944 bytes
First seen:2023-09-18 07:10:19 UTC
Last seen:2023-09-18 07:10:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e51b89a67e14498bdb3230e289423b1 (2 x Smoke Loader, 1 x CoinMiner, 1 x Stealc)
ssdeep 6144:ogyebCLfoDJy/s52oeXxGKiW00x5ALyiCy7Ie:oWbofesgeGk00ryfMe
Threatray 2 similar samples on MalwareBazaar
TLSH T1FD848D0353E3BC54F5264A324E2EBAE47A1DF9A18F1927ABD218AB2F15B01F1C173715
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000008048200000 (1 x Amadey)
Reporter JAMESWT_WT
Tags:171-22-28-208 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
http://171.22.28.208/download/
Verdict:
Malicious activity
Analysis date:
2023-09-13 19:20:44 UTC
Tags:
opendir loader privateloader evasion redline stealer fabookie amadey botnet trojan smoke risepro
Link:
https://app.any.run/tasks/c3fe217c-ddae-47e3-ab34-343cb7b517d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449264/
Detection(s):
Win.Dropper.Tofsee-10008085-0
Create hunting rule

Win.Dropper.Tofsee-10008086-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Creating a process with a hidden window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcleaner greyware masquerade packed
Link:
https://www.filescan.io/uploads/6507f8080870810f018115ea/reports/93d5657b-7aed-4dea-bdfc-ac2799844e77/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc0e37ae-c060-450f-b9a1-d4e0971ab2e3
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309819
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309819 Sample: tmpA37F.bin.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 8 other signatures 2->52 8 tmpA37F.bin.exe 3 2->8         started        12 yiueea.exe 2->12         started        process3 file4 42 C:\Users\user\AppData\Local\...\yiueea.exe, PE32 8->42 dropped 54 Detected unpacking (changes PE section rights) 8->54 56 Detected unpacking (overwrites its own PE header) 8->56 58 Contains functionality to inject code into remote processes 8->58 14 yiueea.exe 13 8->14         started        18 WerFault.exe 9 8->18         started        20 WerFault.exe 9 8->20         started        22 4 other processes 8->22 signatures5 process6 dnsIp7 44 185.215.113.35, 49717, 49718, 49719 WHOLESALECONNECTIONSNL Portugal 14->44 60 Multi AV Scanner detection for dropped file 14->60 62 Detected unpacking (changes PE section rights) 14->62 64 Detected unpacking (overwrites its own PE header) 14->64 66 2 other signatures 14->66 24 cmd.exe 14->24         started        26 schtasks.exe 14->26         started        28 WerFault.exe 14->28         started        30 9 other processes 14->30 signatures8 process9 process10 32 conhost.exe 24->32         started        34 cmd.exe 24->34         started        36 cacls.exe 24->36         started        40 3 other processes 24->40 38 conhost.exe 26->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 02:01:14 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b37jb67al7n6ozc4yi4l4qdlhlozlrfsgbysbnzws5tuvvaiwdpa._file
Verdict:
malicious
Similar samples:
884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/230918-hzyceaff5s/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
http://185.215.113.35/bkd7djmsa/index.php
Unpacked files
SH256 hash:
45eadfb8f4bb0c23459cffe147dccaa15048bf5c8aed4c7bf55117caf882c8f5
MD5 hash:
d2ce540c90f0b55b8465bf78df5d1245
SHA1 hash:
6e506dbabd5d9dc0c17299208554bf8daa83f01b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/86c041d4-66c5-4adf-8114-d2e038894240/
SH256 hash:
0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de
MD5 hash:
9715d63d92cd5ebcc3f6c5cb50bd461f
SHA1 hash:
d35920fb066076b09bec255f4521aed4ab8918cc
Link:
https://www.unpac.me/results/86c041d4-66c5-4adf-8114-d2e038894240/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0efe90fbe05f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Amadey
Create hunting rule
Author:ditekSHen
Description:Amadey downloader payload
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Amadey_7abb059b
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.amadey.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449264/

Comments