MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1377728525cecd3e44cad88d42cea2acd50b2741baa440f7c4fbb5dfe279c885. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	1377728525cecd3e44cad88d42cea2acd50b2741baa440f7c4fbb5dfe279c885
SHA3-384 hash:	4f1b851e33bf15653d3a0807c066f43b195ee6bb1fad5d0b7a23c93d9cc180093163b9eb0cd98cf5a028912c77db8506
SHA1 hash:	2f2e886b4b4a791ac66ab14b7e763f535e6cd35f
MD5 hash:	88c4e9e6c6b313d4a7bd626d5571cdda
humanhash:	minnesota-happy-bakerloo-march
File name:	SecuriteInfo.com.W32.AIDetect.malware1.32162.4334
Download:	download sample
Signature	Amadey Create hunting rule
File size:	364'544 bytes
First seen:	2022-06-14 13:49:09 UTC
Last seen:	2022-06-14 14:48:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5c9a45e3a672f28b0d099dd6d42d8df7 (5 x Amadey, 1 x RedLineStealer)
ssdeep	6144:/2R/cEFUibAKIMZVDZdwuUl1aTuVjWvHlaj971xshqVvfo5k569Ms:/cLFUikKIMZVDol1aT08m9zseg5W65
Threatray	389 similar samples on MalwareBazaar
TLSH	T1C574BE10BAA0D031F5F712F446B5C2A8793E7AA19B6455CFA2D426EE56386E0FC3134B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	2dec137839939b91 (9 x RedLineStealer, 3 x Stop, 2 x DanaBot)
Reporter	SecuriteInfoCom
Tags:	Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

411

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware1.32162.4334

Verdict:

Malicious activity

Analysis date:

2022-06-14 22:10:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1eca5433-33b7-46fc-9708-f087ef6521f9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/279832/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.32162.4334.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21191/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62a8921996efd87b05f84451/reports/a7591d53-5b78-46e4-9c8d-0619bfab4105/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7ce1771a-4c9b-4fee-b977-11f9e3ee5a36

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1012958

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1377728525cecd3e44cad88d42cea2acd50b2741baa440f7c4fbb5dfe279c885/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-06-14 11:17:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cn3xfbjfz3gt4rgk3cguftvcvtkqwj2bxkseb56e7o257ytzzccq._file

Verdict:

malicious

Amadey

369f11b11b8dd54abb0833b3fd0b6a470687f45b7af473ad812efd52d7aaed2f

Amadey

3722aebc144a3383cf564e2627b13492a705a1d25019812ff77460fbb699f048

Amadey

ab37a574af8ab7ece7b24d9c6bca61e2c08ac73928269473946f8476a9eac661

Amadey

b22c3cd5ceb80a740708071c128aafa21805bd0c12759fff78cf319d498f5579

Amadey

df640367b49da9d6125891744014fdc2680c51c521d9890b16ef037ab10d861a

Amadey

edb16fa7d35dba5df07634bd3b40b482943b1534d10fd41e50dd152c67bf1620

Amadey

+ 379 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1448 stealer

Link:

https://tria.ge/reports/220614-q49v1aedfp/

Behaviour

Modifies system certificate store

Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://t.me/tg_randomacc
https://indieweb.social/@ronxik333

Unpacked files

SH256 hash:

3bf80e132ec5858cb4353f9a5c5c7eefc637b52163c6682a5b228eace2b5d007

MD5 hash:

184b6556885e12aafd6b1a9e25cf8a5c

SHA1 hash:

8cd1113f3380766ba933ef312f99de315e6cd3bb

Link:

https://www.unpac.me/results/590db6e8-90a4-4d53-8075-18c49ecbf9b7/

SH256 hash:

1377728525cecd3e44cad88d42cea2acd50b2741baa440f7c4fbb5dfe279c885

MD5 hash:

88c4e9e6c6b313d4a7bd626d5571cdda

SHA1 hash:

2f2e886b4b4a791ac66ab14b7e763f535e6cd35f

Link:

https://www.unpac.me/results/590db6e8-90a4-4d53-8075-18c49ecbf9b7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1377728525cecd3e44cad88d42cea2acd50b2741baa440f7c4fbb5dfe279c885

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe 1377728525cecd3e44cad88d42cea2acd50b2741baa440f7c4fbb5dfe279c885

(this sample)

Cape

https://www.capesandbox.com/analysis/279832/

URLhaus

https://urlhaus.abuse.ch/url/2237500/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample