MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1
SHA3-384 hash: 13db306f176998f7697c6f474daf28760978fe3e46916d7d54db0e32044352f3eb16370730a7679a4555918262e9534c
SHA1 hash: 9a9a69b6971e6f3dc9ec8970f929a73b80769feb
MD5 hash: 1022b9da25022357fab2dd07bef10461
humanhash: montana-salami-violet-utah
File name:1022b9da25022357fab2dd07bef10461
Download: download sample
Signature Amadey
Create hunting rule
File size:1'285'632 bytes
First seen:2023-10-06 20:03:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:8yMjx6VkisCkJbCg+Ac5xqn0Lr20mZHCMd/b/kajDOQ4jn:rmx6VLsfJbr+ACw0ydHBrBO
TLSH T16555230797E78821D8713B3084F203A31B75BC62967567077F915D0A1EE2BA2787B736
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a service
Creating a file
Launching a process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5f6c107-cbcf-4196-b4ab-11c980876469
Result
Threat name:
Amadey, Babadeda, Healer AV Disabler, My
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321236
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Healer AV Disabler
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1321236 Sample: OdCoLj4Asd.exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 113 Snort IDS alert for network traffic 2->113 115 Found malware configuration 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 18 other signatures 2->119 11 OdCoLj4Asd.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 2 other processes 2->18 process3 file4 97 C:\Users\user\AppData\Local\...\HU0jc86.exe, PE32 11->97 dropped 99 C:\Users\user\AppData\Local\...\6vB4Xq83.exe, PE32 11->99 dropped 20 HU0jc86.exe 1 4 11->20         started        process5 file6 89 C:\Users\user\AppData\Local\...\jQ7Di55.exe, PE32 20->89 dropped 91 C:\Users\user\AppData\Local\...\5me0tC8.exe, PE32 20->91 dropped 137 Antivirus detection for dropped file 20->137 139 Machine Learning detection for dropped file 20->139 24 jQ7Di55.exe 1 4 20->24         started        signatures7 process8 file9 93 C:\Users\user\AppData\Local\...\Sb8Qe36.exe, PE32 24->93 dropped 95 C:\Users\user\AppData\Local\...\4Dj612tF.exe, PE32 24->95 dropped 141 Antivirus detection for dropped file 24->141 143 Machine Learning detection for dropped file 24->143 28 Sb8Qe36.exe 1 4 24->28         started        32 4Dj612tF.exe 24->32         started        signatures10 process11 file12 101 C:\Users\user\AppData\Local\...\ru4Qh88.exe, PE32 28->101 dropped 103 C:\Users\user\AppData\Local\...\3Yh0330.exe, PE32 28->103 dropped 165 Antivirus detection for dropped file 28->165 167 Machine Learning detection for dropped file 28->167 34 ru4Qh88.exe 1 4 28->34         started        38 3Yh0330.exe 1 28->38         started        105 C:\Users\user\AppData\Local\...\explothe.exe, PE32 32->105 dropped 169 Multi AV Scanner detection for dropped file 32->169 40 explothe.exe 32->40         started        signatures13 process14 dnsIp15 81 C:\Users\user\AppData\Local\...\2rn40pO.exe, PE32 34->81 dropped 83 C:\Users\user\AppData\Local\...\1AR07po7.exe, PE32 34->83 dropped 121 Antivirus detection for dropped file 34->121 123 Machine Learning detection for dropped file 34->123 43 2rn40pO.exe 1 34->43         started        46 1AR07po7.exe 9 34->46         started        125 Writes to foreign memory regions 38->125 127 Allocates memory in foreign processes 38->127 129 Injects a PE file into a foreign processes 38->129 48 AppLaunch.exe 3 38->48         started        51 conhost.exe 38->51         started        53 WerFault.exe 38->53         started        111 77.91.124.1, 49717, 49718, 49719 ECOTEL-ASRU Russian Federation 40->111 85 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 40->85 dropped 87 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 40->87 dropped 131 Multi AV Scanner detection for dropped file 40->131 133 Creates an undocumented autostart registry key 40->133 135 Uses schtasks.exe or at.exe to add and modify task schedules 40->135 55 rundll32.exe 40->55         started        57 cmd.exe 40->57         started        59 schtasks.exe 40->59         started        file16 signatures17 process18 dnsIp19 145 Machine Learning detection for dropped file 43->145 147 Contains functionality to inject code into remote processes 43->147 149 Writes to foreign memory regions 43->149 161 2 other signatures 43->161 61 AppLaunch.exe 43->61         started        64 AppLaunch.exe 13 43->64         started        67 WerFault.exe 22 16 43->67         started        69 conhost.exe 43->69         started        151 Antivirus detection for dropped file 46->151 153 Multi AV Scanner detection for dropped file 46->153 155 Found many strings related to Crypto-Wallets (likely being stolen) 46->155 163 3 other signatures 46->163 107 77.91.124.55, 19071, 49716 ECOTEL-ASRU Russian Federation 48->107 157 Tries to harvest and steal browser information (history, passwords, etc) 48->157 159 Contains functionality to modify clipboard data 55->159 71 conhost.exe 57->71         started        73 cmd.exe 57->73         started        75 cacls.exe 57->75         started        79 4 other processes 57->79 77 conhost.exe 59->77         started        signatures20 process21 dnsIp22 171 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->171 173 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->173 109 5.42.92.211, 49712, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 64->109 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 20:04:05 UTC
File Type:
PE (Exe)
Extracted files:
191
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czmpatov7vmrb4bn75vqmu6toabqahjkstpgt6hicvuocuj3k2qq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:mystic family:redline botnet:frant evasion infostealer persistence stealer trojan
Link:
https://tria.ge/reports/231006-ys84bsff41/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Amadey
Detect Mystic stealer payload
Modifies Windows Defender Real-time Protection settings
Mystic
RedLine
RedLine payload
Malware Config
C2 Extraction:
http://5.42.92.211/loghub/master
77.91.124.55:19071
http://77.91.124.1/theme/index.php
http://77.91.68.78/help/index.php
Unpacked files
SH256 hash:
4e0e4660d283270ae7abac2520b0bbd19324ff879c079ddb771c072bc7bbf60e
MD5 hash:
9550b6022fcadfa9c2b6ed54f716b5eb
SHA1 hash:
0f2056f10af352f7c96cd0be0ab10538688512c2
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
SH256 hash:
2ecc669a7f5e4db05bd4c07c459784a9e2f8b1f957189ef51c4166dc4975ac7e
MD5 hash:
f5c4e387fa2668c0d3696e99fdda0bcb
SHA1 hash:
f7ab275ac642386f9363894fe142b59ea76b62cb
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
SH256 hash:
431be214153fd5ffd4ff4fe2826276c8feb1459837eda7462a171c824bd63d31
MD5 hash:
94a8f3962afb223c692c8c8757e2b14d
SHA1 hash:
3d5a3f9bcd56b73a96a70cdfb9def93b54643c1e
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
SH256 hash:
78b24bb7320f7f4366527d68279d8d4dddbf48b5406e2ef11d5b6c1db840717f
MD5 hash:
fc35c988d8f80633616d67ffe1a56a85
SHA1 hash:
55e49e2064035d839681d9185671449c3569b882
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
SH256 hash:
43f7cb4777ae110f4eb7923e07ead835326ccd531dbee0e263033bf50b210bc0
MD5 hash:
f11db9937fef328b7d2a77a21514e1be
SHA1 hash:
24ffbd50b01f5508ecc6e2abdb10d5fd03e8edd7
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
SH256 hash:
cd9b03408e7ec2e5d0801a15570dd03fb1e1715155deadd31d3cc0894721c130
MD5 hash:
ad5cdf88f172a8430e04683986afa243
SHA1 hash:
30d60965738f48f68b1af7701d0c477366c13ce8
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
Parent samples :
1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1
f1adfc111c7f912630950c8c3321db0a54c7af6f4a67c0c317dc19f377398ae3
SH256 hash:
6f89351e07bb13d4b3e90fa53c38533be7873d4616cc88781e618856956c6af5
MD5 hash:
537c7a51e4092b4d010a7f379126c479
SHA1 hash:
282b64b0d320614e08ae0fee95d158115d69c404
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
SH256 hash:
1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1
MD5 hash:
1022b9da25022357fab2dd07bef10461
SHA1 hash:
9a9a69b6971e6f3dc9ec8970f929a73b80769feb
Link:
https://www.unpac.me/results/31e210d7-51f9-4dbb-8c0c-e1120ba1116b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1658f04dd5fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 1658f04dd5fd5910f02dff6b0653d37003001d2a94de69f8e81568e1513b56a1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2710160/

Comments


Avatar
zbet commented on 2023-10-06 20:03:11 UTC

url : hxxp://77.91.68.78/file/lega.exe