MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13ad0224d5f05dec29bb9ef7142c429e666525265fd33de68685abc6844a6b6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13ad0224d5f05dec29bb9ef7142c429e666525265fd33de68685abc6844a6b6c
SHA3-384 hash: 097b466c3104a7e8aa237229a3f0e74ce56340277cfb0bfb7198d8bdfd9ef3519ed6c5b67ee6fb7bab5a58e577b6f1a6
SHA1 hash: 91f065f69bb0a2d9e5051e3e28a2d45fc9e055f8
MD5 hash: 84271e4057356d10c3e1989dee4bbd9c
humanhash: aspen-carbon-grey-oregon
File name:84271e4057356d10c3e1989dee4bbd9c.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:401'920 bytes
First seen:2022-07-14 06:19:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fe47884083bab0c3389c69805e59188 (11 x Smoke Loader, 4 x RedLineStealer, 3 x Loki)
ssdeep 6144:Axwc1xI5akZj7Sy+DVnGMROjMbbubzywK8F4a8RT2jbFPwCSb8oWZ:nLgojuBDVnhROjMv+zBFC2jJib+
Threatray 601 similar samples on MalwareBazaar
TLSH T14084BF00B790D435F4B71AF849B68368B9397EA0A72454CF22E52AEE57346F0EC3175B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 25ac1370399b9b91 (36 x Amadey, 28 x Smoke Loader, 17 x RedLineStealer)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
621
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/288442/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Launching a process
Creating a window
Creating a file
DNS request
Sending an HTTP POST request
Delayed reading of the file
Searching for the window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62cfb5a5d6d93426ceec85ec/reports/03202317-1754-4676-afc6-3885683152a7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1031863
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13ad0224d5f05dec29bb9ef7142c429e666525265fd33de68685abc6844a6b6c/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 06:20:07 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cowqejgv6bo6ykn3t33rilcctztgkjjgl7jt3zugqwv4nbcknnwa._file
Verdict:
malicious
Similar samples:
12163d07dc538469b9ca2d265f091feb10e3aaaa0b9565e5a8813ac8fabe94e0
Amadey
2816bb96add28e6f1d5cff0ed2d7fd59de35331dafa742a7b32253d0c45b4b7a
Amadey
33bbf56687fc2daf090d85028716b348f78089e0c65592c689c6c9b3225d2e29
Amadey
543d532f04de06d64a9de2eec3f31d1125499590ef9952321e6a6cee9a64f58d
Amadey
5732942d1d9b3b581bc3d2d446e82ba5de4d8bdbee48c4997a6cbc99bb777de9
Amadey
ea8c332279f6b57a1f7b435bb2e6893a300116f2c5e820630a31b41eeb124964
Amadey
f08411f389d5065c97508c3b99422301877c3c56877fc6f2913939c24ae48706
Amadey
f0ec9da984c79f4fdd540d22d157d1944129f18e79b0439cc028048812207970
Amadey
fde242f2153e81e058145a562e74e837474fc71bc865fafe395df2671102430c
Amadey
ff4e76fc977192dedaf23080d2a557f2023d579fb32dcacfaf2d4745fb9c85d1
Amadey
+ 591 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220714-g29b1shgcn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
suricata: ET MALWARE Amadey CnC Check-In
Unpacked files
SH256 hash:
b53673ab38d3de843874fb6e8d3fe6b0c9c1d9832a3d0f42fd912e20209d96ae
MD5 hash:
25f0452596cf92ad361c5dc6f1ff2692
SHA1 hash:
96fb573e8456c51e7a3d685c16f3bedd5e932a26
Link:
https://www.unpac.me/results/06af31c9-50fa-442c-936a-b909cfeaf49b/
SH256 hash:
13ad0224d5f05dec29bb9ef7142c429e666525265fd33de68685abc6844a6b6c
MD5 hash:
84271e4057356d10c3e1989dee4bbd9c
SHA1 hash:
91f065f69bb0a2d9e5051e3e28a2d45fc9e055f8
Link:
https://www.unpac.me/results/06af31c9-50fa-442c-936a-b909cfeaf49b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13ad0224d5f05dec29bb9ef7142c429e666525265fd33de68685abc6844a6b6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 13ad0224d5f05dec29bb9ef7142c429e666525265fd33de68685abc6844a6b6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2257204/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/288442/

Comments