MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1630fa1a40a0f41723a16e69370361b7a868dd03eb3a986969ad4815babc6e6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1630fa1a40a0f41723a16e69370361b7a868dd03eb3a986969ad4815babc6e6b
SHA3-384 hash: f345a59bf2e2bb1a01078b47cdd085611cf03115872a3a76d1f16a81a65e7c3fb92bc1073f5795c9c3c9feca4037a63d
SHA1 hash: 80e873e66b7cb1c9389e9b8a2167f6f6d2ee36de
MD5 hash: 8171ce60a71e757d2bc08431463261ba
humanhash: sierra-island-emma-nevada
File name:8171CE60A71E757D2BC08431463261BA.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:7'306'832 bytes
First seen:2021-08-29 00:46:11 UTC
Last seen:2021-08-29 02:17:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:Qng4TlyOpuHI28RkeqZoTnpUeb92Y83YTBN3X1ffTG:QRTlcmRkeqWTnWebsv3qpX1ff
Threatray 12 similar samples on MalwareBazaar
TLSH T1AC76F0B4F9F0CAD6C46375BADC6A3AF108E84F09DDA84E8F1D843E40763526A4671E1D
dhash icon 13699696a28ad021 (3 x njrat, 1 x Amadey, 1 x NetWire)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://depressionk1d.ug/k8FppT/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://depressionk1d.ug/k8FppT/index.php https://threatfox.abuse.ch/ioc/201784/

Intelligence

File Origin
# of uploads :
2
# of downloads :
422
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8171CE60A71E757D2BC08431463261BA.exe
Verdict:
Malicious activity
Analysis date:
2021-08-29 00:49:38 UTC
Tags:
trojan rat redline stealer evasion
Link:
https://app.any.run/tasks/fb00152e-2ef3-4509-b6e7-740f6c78ecb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183178/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Sending an HTTP GET request
Running batch commands
Launching a process
Sending an HTTP POST request
Stealing user critical data
Enabling autorun by creating a file
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f3dd370-5c74-48ce-b43b-646fb07950cd
Result
Threat name:
Amadey RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840921
Signature
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Posts data to a JPG file (protocol mismatch)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473352 Sample: VunjeCGYgU.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Sigma detected: Xmrig 2->116 118 Multi AV Scanner detection for dropped file 2->118 120 14 other signatures 2->120 9 VunjeCGYgU.exe 15 33 2->9         started        14 System.exe 2->14         started        16 rnyuf.exe 2->16         started        process3 dnsIp4 102 77.232.43.79, 49701, 57581 EUT-ASEUTIPNetworkRU Russian Federation 9->102 104 162.159.130.233, 443, 49710 CLOUDFLARENETUS United States 9->104 110 2 other IPs or domains 9->110 84 C:\Users\user\AppData\Local\...\winunit.exe, PE32 9->84 dropped 86 C:\Users\user\AppData\Local\...\winlogan.exe, PE32 9->86 dropped 88 C:\Users\user\AppData\...\VunjeCGYgU.exe.log, ASCII 9->88 dropped 146 Detected unpacking (changes PE section rights) 9->146 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->148 150 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->150 156 3 other signatures 9->156 18 winlogan.exe 4 9->18         started        22 winunit.exe 40 9->22         started        25 conhost.exe 9->25         started        106 52.217.88.84 AMAZON-02US United States 14->106 108 s3-w.us-east-1.amazonaws.com 14->108 112 4 other IPs or domains 14->112 90 C:\ProgramData\Data\Database.exe, PE32+ 14->90 dropped 92 C:\ProgramData\Data\old.exe (copy), PE32+ 14->92 dropped 152 Hides threads from debuggers 14->152 27 cmd.exe 14->27         started        29 cmd.exe 14->29         started        31 cmd.exe 14->31         started        33 8 other processes 14->33 154 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->154 file5 signatures6 process7 dnsIp8 80 C:\Users\user\AppData\Local\...\rnyuf.exe, PE32 18->80 dropped 122 Multi AV Scanner detection for dropped file 18->122 124 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->124 126 Machine Learning detection for dropped file 18->126 134 2 other signatures 18->134 35 rnyuf.exe 14 18->35         started        96 iplogger.org 88.99.66.31, 443, 49711, 49712 HETZNER-ASDE Germany 22->96 98 bitbucket.org 104.192.141.1, 443, 49714 AMAZON-02US United States 22->98 100 3 other IPs or domains 22->100 82 C:\ProgramData\Microsoft Network\System.exe, PE32 22->82 dropped 128 Detected unpacking (changes PE section rights) 22->128 130 May check the online IP address of the machine 22->130 132 Tries to evade analysis by execution special instruction which cause usermode exception 22->132 39 cmd.exe 22->39         started        41 cmd.exe 22->41         started        43 cmd.exe 22->43         started        45 13 other processes 22->45 47 2 other processes 27->47 49 2 other processes 29->49 51 2 other processes 31->51 53 8 other processes 33->53 file9 signatures10 process11 dnsIp12 94 depressionk1d.ug 193.164.17.17 AT-ASRU Russian Federation 35->94 136 Multi AV Scanner detection for dropped file 35->136 138 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->138 140 Machine Learning detection for dropped file 35->140 142 5 other signatures 35->142 55 cmd.exe 35->55         started        57 schtasks.exe 35->57         started        59 conhost.exe 39->59         started        61 taskkill.exe 39->61         started        63 conhost.exe 41->63         started        65 taskkill.exe 41->65         started        69 2 other processes 43->69 67 conhost.exe 45->67         started        71 12 other processes 45->71 signatures13 process14 process15 73 reg.exe 55->73         started        76 conhost.exe 55->76         started        78 conhost.exe 57->78         started        signatures16 144 Creates an undocumented autostart registry key 73->144
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1630fa1a40a0f41723a16e69370361b7a868dd03eb3a986969ad4815babc6e6b/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 04:24:57 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyypugsaud2boi5bnzutoa3bw6ugrxid5m5jq2ljvveblov4nzvq._file
Verdict:
malicious
Similar samples:
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
Amadey
4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e
Amadey
4dec399c785ed12108ec1f383345ca6bccf12542d2037ee0d6bee4945fd71fd4
Amadey
84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04
Amadey
991c4166a2246ca5ae9186a1e747f5eb767fdbd304dbfa1c5f4a2019cb6b4aec
Amadey
ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a
Amadey
dc6f6eb8e711accc909c5cc1802fe5f2ba706abd18adbfa89bec845c04bff8bd
Amadey
e467fbf52c4dc6e1b5cd1fa9a60dd230672581884b05381378a0a953d81f533b
Amadey
fa1b0782ba561e7c093eae658614ce3f846cb6d57fd6454aea2246e141ec5242
Amadey
+ 2 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey discovery spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210829-src9apbxy2/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Amadey
Malware Config
C2 Extraction:
depressionk1d.ug/k8FppT/index.php
Unpacked files
SH256 hash:
1630fa1a40a0f41723a16e69370361b7a868dd03eb3a986969ad4815babc6e6b
MD5 hash:
8171ce60a71e757d2bc08431463261ba
SHA1 hash:
80e873e66b7cb1c9389e9b8a2167f6f6d2ee36de
Link:
https://www.unpac.me/results/ff250d61-f4a3-4ae3-a816-b49f495a2e24/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1630fa1a40a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1630fa1a40a0f41723a16e69370361b7a868dd03eb3a986969ad4815babc6e6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183178/

Comments