MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb
SHA3-384 hash: 34d6c76029f9c49f2dd14f43a70cf04617cba7d48201da5a83a7c44e896b44abad433aa017d29a0009601f1ad4dca3d8
SHA1 hash: cd5a0b59554767b3d4433fe9b5771352309bd10b
MD5 hash: a360a5318a93a25cffac26e520664aa0
humanhash: connecticut-summer-equal-rugby
File name:a360a5318a93a25cffac26e520664aa0.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:215'897 bytes
First seen:2023-07-09 23:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f8cc61ade86cb7277d0ab974de6323cb (32 x Amadey, 11 x RedLineStealer)
ssdeep 3072:mhMCsw9/w+A4cwP+5OzutpHKGruONM4QuZA+67bi83eILfbq5kmh:5Cswq+AXYu7HGOSuZAlAILjq
Threatray 2'204 similar samples on MalwareBazaar
TLSH T12D24F6267912C031D560A1B619F4BFF2C59CA824ABB049DB7B800F77DA122F73D61E39
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
77.91.68.48:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a360a5318a93a25cffac26e520664aa0.exe
Verdict:
Malicious activity
Analysis date:
2023-07-09 23:36:38 UTC
Tags:
amadey trojan opendir loader rat redline smoke
Link:
https://app.any.run/tasks/78b26680-184a-4e3c-a280-1361ab11aea1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/413295/
Detection(s):
Win.Malware.Doina-10001799-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96715/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
GetTempPath
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey greyware lolbin overlay shell32
Link:
https://www.filescan.io/uploads/64ab44620e49d672f31ecf9c/reports/5d57f632-3030-4a81-a511-070ff9fec98d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6e3cd62-a81c-4097-b0a3-1082382d38af
Result
Threat name:
Amadey, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270578
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270578 Sample: tK7Lpstf75.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 199 Snort IDS alert for network traffic 2->199 201 Found malware configuration 2->201 203 Malicious sample detected (through community Yara rule) 2->203 205 18 other signatures 2->205 13 tK7Lpstf75.exe 4 2->13         started        17 ivgwrch 2->17         started        19 oneetx.exe 2->19         started        process3 file4 165 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 13->165 dropped 167 C:\Users\user\...\oneetx.exe:Zone.Identifier, ASCII 13->167 dropped 259 Contains functionality to inject code into remote processes 13->259 21 oneetx.exe 3 26 13->21         started        261 Multi AV Scanner detection for dropped file 17->261 263 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->263 265 Maps a DLL or memory area into another process 17->265 267 2 other signatures 17->267 signatures5 process6 dnsIp7 183 77.91.124.20, 49698, 49699, 49701 ECOTEL-ASRU Russian Federation 21->183 185 77.91.124.31, 49700, 49702, 49704 ECOTEL-ASRU Russian Federation 21->185 157 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 21->157 dropped 159 C:\Users\user\AppData\Local\Temp\...\du.exe, PE32 21->159 dropped 161 C:\Users\user\AppData\Local\...\fotod45.exe, PE32 21->161 dropped 163 5 other malicious files 21->163 dropped 241 Multi AV Scanner detection for dropped file 21->241 243 Creates an undocumented autostart registry key 21->243 245 Creates multiple autostart registry keys 21->245 247 Uses schtasks.exe or at.exe to add and modify task schedules 21->247 26 du.exe 21->26         started        29 foto175.exe 1 4 21->29         started        32 fotod45.exe 1 4 21->32         started        34 3 other processes 21->34 file8 signatures9 process10 file11 249 Antivirus detection for dropped file 26->249 251 Multi AV Scanner detection for dropped file 26->251 253 Machine Learning detection for dropped file 26->253 257 4 other signatures 26->257 36 explorer.exe 26->36 injected 169 C:\Users\user\AppData\Local\...\x7393631.exe, PE32 29->169 dropped 171 C:\Users\user\AppData\Local\...\i5348370.exe, PE32 29->171 dropped 41 x7393631.exe 1 4 29->41         started        173 C:\Users\user\AppData\Local\...\y4578248.exe, PE32 32->173 dropped 175 C:\Users\user\AppData\Local\...\n8609873.exe, PE32 32->175 dropped 43 y4578248.exe 32->43         started        255 Contains functionality to modify clipboard data 34->255 45 conhost.exe 34->45         started        47 conhost.exe 34->47         started        49 cmd.exe 1 34->49         started        51 5 other processes 34->51 signatures12 process13 dnsIp14 177 77.91.68.29, 49890, 49907, 49921 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 36->177 179 77.91.68.30, 49924, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 36->179 181 192.168.2.1 unknown unknown 36->181 123 C:\Users\user\AppData\Roaming\ivgwrch, PE32 36->123 dropped 125 C:\Users\user\AppData\Local\Temp\CCF8.exe, PE32 36->125 dropped 127 C:\Users\user\AppData\Local\Temp\3D6E.exe, PE32 36->127 dropped 129 C:\Users\user\AppData\Local\Temp\35A1.exe, PE32 36->129 dropped 227 System process connects to network (likely due to code injection or exploit) 36->227 229 Benign windows process drops PE files 36->229 231 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->231 53 CCF8.exe 36->53         started        57 35A1.exe 36->57         started        59 3D6E.exe 36->59         started        65 7 other processes 36->65 131 C:\Users\user\AppData\Local\...\x7943712.exe, PE32 41->131 dropped 133 C:\Users\user\AppData\Local\...\h6812424.exe, PE32 41->133 dropped 233 Antivirus detection for dropped file 41->233 235 Machine Learning detection for dropped file 41->235 61 x7943712.exe 1 4 41->61         started        135 C:\Users\user\AppData\Local\...\y5421827.exe, PE32 43->135 dropped 137 C:\Users\user\AppData\Local\...\m8510729.exe, PE32 43->137 dropped 63 y5421827.exe 43->63         started        file15 signatures16 process17 file18 139 C:\Users\user\AppData\Local\...\x7393631.exe, PE32 53->139 dropped 141 C:\Users\user\AppData\Local\...\i5348370.exe, PE32 53->141 dropped 67 x7393631.exe 53->67         started        143 C:\Users\user\AppData\Local\...\y3604434.exe, PE32 57->143 dropped 145 C:\Users\user\AppData\Local\...\n1254793.exe, PE32 57->145 dropped 71 y3604434.exe 57->71         started        147 C:\Users\user\AppData\Local\Temp\r4_7sv.5, PE32 59->147 dropped 149 C:\Users\user\AppData\Local\Temp\...\r4_7sv.5, PE32 59->149 dropped 155 2 other malicious files 61->155 dropped 237 Antivirus detection for dropped file 61->237 239 Machine Learning detection for dropped file 61->239 73 g0808444.exe 61->73         started        75 f7642883.exe 61->75         started        151 C:\Users\user\AppData\Local\...\l8557297.exe, PE32 63->151 dropped 153 C:\Users\user\AppData\Local\...\k2944338.exe, PE32 63->153 dropped 78 k2944338.exe 63->78         started        80 l8557297.exe 63->80         started        signatures19 process20 dnsIp21 113 C:\Users\user\AppData\Local\...\x7943712.exe, PE32 67->113 dropped 115 C:\Users\user\AppData\Local\...\h6812424.exe, PE32 67->115 dropped 213 Antivirus detection for dropped file 67->213 215 Machine Learning detection for dropped file 67->215 82 x7943712.exe 67->82         started        117 C:\Users\user\AppData\Local\...\y9325717.exe, PE32 71->117 dropped 119 C:\Users\user\AppData\Local\...\m2444642.exe, PE32 71->119 dropped 86 y9325717.exe 71->86         started        121 C:\Users\user\AppData\Local\...\danke.exe, PE32 73->121 dropped 217 Multi AV Scanner detection for dropped file 73->217 88 danke.exe 73->88         started        187 77.91.68.48, 19071, 49759, 49845 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 75->187 219 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 75->219 221 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 75->221 90 conhost.exe 75->90         started        223 Disable Windows Defender notifications (registry) 78->223 225 Disable Windows Defender real time protection (registry) 78->225 92 conhost.exe 78->92         started        94 conhost.exe 80->94         started        file22 signatures23 process24 file25 105 C:\Users\user\AppData\Local\...\g0808444.exe, PE32 82->105 dropped 107 C:\Users\user\AppData\Local\...\f7642883.exe, PE32 82->107 dropped 207 Antivirus detection for dropped file 82->207 209 Machine Learning detection for dropped file 82->209 96 f7642883.exe 82->96         started        109 C:\Users\user\AppData\Local\...\l1698174.exe, PE32 86->109 dropped 111 C:\Users\user\AppData\Local\...\k1339320.exe, PE32 86->111 dropped 99 k1339320.exe 86->99         started        211 Multi AV Scanner detection for dropped file 88->211 signatures26 process27 signatures28 189 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 96->189 191 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 96->191 193 Tries to harvest and steal browser information (history, passwords, etc) 96->193 101 conhost.exe 96->101         started        195 Antivirus detection for dropped file 99->195 197 Machine Learning detection for dropped file 99->197 103 conhost.exe 99->103         started        process29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 23:22:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
33 of 38 (86.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ch4s5fdxto4swsfgzzvq6excmk4td7znr4powyaa24ell4yftk5q._file
Verdict:
malicious
Similar samples:
0f91f82218d734d2f86b6a1fa0b6c8743e031caf1ce6481e138201309eaf224f
Amadey
127331248be3658c2f1156be9b8df2462ae511a94f73d3251f76ff294424b2cb
Amadey
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
Amadey
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
Amadey
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
Amadey
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
Amadey
c1d088856f128aa9dbd120f2a727fbb33ae1567caf85d612426345d5e34545eb
Amadey
e6270068394194d400ccb6422ccaa72da89179294525d6aa0c615bd1519d685d
Amadey
f984811ca20f0022a21840ccd29a68b8a39d44569b4ecdb9634405e4f404af57
Amadey
fda782d36cbd967d0c3f037110e2419d4676af0a089648fb8c6f8656e97fdb83
Amadey
+ 2'194 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/230709-3ljx3sha8v/
Behaviour
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
77.91.124.20/store/games/index.php
Unpacked files
SH256 hash:
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb
MD5 hash:
a360a5318a93a25cffac26e520664aa0
SHA1 hash:
cd5a0b59554767b3d4433fe9b5771352309bd10b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/63484517-844d-4c0d-9a6c-08517656a22c/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11f92e94779b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/413295/

Comments