MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 167b94989bbc4eeacbe585b529ff43d7c9aacdc663a01210193d547ad855b058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 167b94989bbc4eeacbe585b529ff43d7c9aacdc663a01210193d547ad855b058
SHA3-384 hash: c9bb2c3f7dd16d035e6d46244b9b1561a02fc3692f8167bfe97349d6c576b2821aa2f1ba6cdbe2d6ce677be1cb975d10
SHA1 hash: 0e7c23291ae5bf53c59a42d35eee6953beb6cf07
MD5 hash: 66578f7c481cca8ec2f62d57741186ef
humanhash: twelve-helium-oven-kansas
File name:66578f7c481cca8ec2f62d57741186ef.bin.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'475'336 bytes
First seen:2023-03-02 19:15:24 UTC
Last seen:2023-03-02 20:29:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:WDixmGng+cZuX84vEm47VqvzkhFrQbySfll/2KgV5rvDLZVKFqbQq6/Ru:Ti+cHn74rkzEySNR2KgV5rLLDKFLqWu
TLSH T14965F82B59C281B1C0809935A3A9C1BC03B97EEB1553EBA701953EE9FF722DA35051DF
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://77.73.134.52/0jVu73d/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
66578f7c481cca8ec2f62d57741186ef.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-03-02 19:15:34 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/a48fe0cd-4364-41e7-9669-317845f3ffad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371272/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12086.30474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a file
Delayed reading of the file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6400f5f52ea6b36966306b99/reports/f1954ce6-24ec-4904-ba96-178f73ce691b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/167b94989bbc4eeacbe585b529ff43d7c9aacdc663a01210193d547ad855b058
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6522f0aa-2bfe-4565-854b-8731ab57aa88
Result
Threat name:
Amadey, DarkTortilla, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186059
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected DarkTortilla Crypter
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 818925 Sample: AHRly0HiJP.exe Startdate: 02/03/2023 Architecture: WINDOWS Score: 100 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 Antivirus detection for dropped file 2->100 102 9 other signatures 2->102 11 AHRly0HiJP.exe 15 5 2->11         started        16 knuus.exe 2->16         started        18 knuus.exe 2->18         started        20 3 other processes 2->20 process3 dnsIp4 78 142.250.203.100 GOOGLEUS United States 11->78 80 8.8.8.8 GOOGLEUS United States 11->80 74 C:\Users\user\AppData\...\softwareBuild.exe, PE32 11->74 dropped 76 C:\Users\user\AppData\...\AHRly0HiJP.exe.log, ASCII 11->76 dropped 104 Writes to foreign memory regions 11->104 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->106 108 Injects a PE file into a foreign processes 11->108 22 softwareBuild.exe 3 11->22         started        25 InstallUtil.exe 11->25         started        27 InstallUtil.exe 11->27         started        29 InstallUtil.exe 11->29         started        file5 signatures6 process7 file8 72 C:\Users\user\AppData\Local\...\knuus.exe, PE32 22->72 dropped 31 knuus.exe 21 22->31         started        36 WerFault.exe 25->36         started        process9 dnsIp10 84 77.73.134.52 FIBEROPTIXDE Kazakhstan 31->84 64 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 31->64 dropped 66 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 31->66 dropped 68 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 31->68 dropped 70 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 31->70 dropped 88 Antivirus detection for dropped file 31->88 90 Creates an undocumented autostart registry key 31->90 92 Machine Learning detection for dropped file 31->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 31->94 38 rundll32.exe 31->38         started        40 cmd.exe 1 31->40         started        42 schtasks.exe 1 31->42         started        44 rundll32.exe 31->44         started        86 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->86 file11 signatures12 process13 process14 46 rundll32.exe 23 38->46         started        50 conhost.exe 40->50         started        52 cmd.exe 1 40->52         started        54 cmd.exe 1 40->54         started        58 4 other processes 40->58 56 conhost.exe 42->56         started        dnsIp15 82 192.168.2.1 unknown unknown 46->82 110 System process connects to network (likely due to code injection or exploit) 46->110 112 Tries to steal Instant Messenger accounts or passwords 46->112 114 Tries to harvest and steal ftp login credentials 46->114 116 Tries to harvest and steal browser information (history, passwords, etc) 46->116 60 tar.exe 46->60         started        signatures16 process17 process18 62 conhost.exe 60->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/167b94989bbc4eeacbe585b529ff43d7c9aacdc663a01210193d547ad855b058/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 19:41:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
42
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cz5zjge3xrhovs7fqw2st72d27e2vtogmoqbeeazhvkhvwcvwbma._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan
Link:
https://tria.ge/reports/230302-xyssvsea2z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
Malware Config
C2 Extraction:
77.73.134.52/0jVu73d/index.php
Unpacked files
SH256 hash:
167b94989bbc4eeacbe585b529ff43d7c9aacdc663a01210193d547ad855b058
MD5 hash:
66578f7c481cca8ec2f62d57741186ef
SHA1 hash:
0e7c23291ae5bf53c59a42d35eee6953beb6cf07
Link:
https://www.unpac.me/results/6fb9750d-ce52-4158-8974-d9cdb88eb67d/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/167b94989bbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/167b94989bbc4eeacbe585b529ff43d7c9aacdc663a01210193d547ad855b058

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371272/

Comments