MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009
SHA3-384 hash: 6974b9ff5f0b43108c23113640bbf8d2a3631f914f7777e556b9c79ccf608fd8f815c145bc0443dba299abc61e2f66f1
SHA1 hash: 4621477bd66e7a4c683fe33ce56783de656f7df3
MD5 hash: 94403f8fdc2f6aab27c4b847c3f7ec36
humanhash: nitrogen-fix-cup-cup
File name:94403f8fdc2f6aab27c4b847c3f7ec36.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:249'344 bytes
First seen:2022-12-12 16:11:40 UTC
Last seen:2022-12-12 17:33:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 857774b8dd5bc6abe25ef09f890c7f72 (4 x Amadey, 1 x RedLineStealer)
ssdeep 6144:e0Tn/MUTehRBZbSjpwe6N+6LzXFuz5a6E8K6Kr3ZpO:1Xg7Zb46FLBuz5aDa6zO
TLSH T11434F8207D16C031D660517729A9BFF6C19CB825ABB049DB7B800F77DA122E67A70E3D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
94403f8fdc2f6aab27c4b847c3f7ec36.exe
Verdict:
Malicious activity
Analysis date:
2022-12-12 16:12:02 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/0280d110-6a78-4166-931d-8c405338db84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345515/
Detection(s):
SecuriteInfo.com.Variant.Lazy.158178.17044.8393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Adding an access-denied ACE
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a file
Creating a window
Delayed reading of the file
Connecting to a non-recommended domain
Sending an HTTP POST request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Downloading the file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/639752d39a505ad9423f3988/reports/8197e353-a0c5-45aa-8f01-6bc85b685de9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5caf171-8695-4b2f-a7ca-8cb3ea26f05c
Result
Threat name:
Amadey, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132811
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Download and Execute IEX
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 765534 Sample: cC6yefr524.exe Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 Antivirus detection for dropped file 2->116 118 12 other signatures 2->118 11 cC6yefr524.exe 4 2->11         started        15 isegggv 2->15         started        17 gntuud.exe 2->17         started        19 3 other processes 2->19 process3 file4 92 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 11->92 dropped 94 C:\Users\user\...\gntuud.exe:Zone.Identifier, ASCII 11->94 dropped 148 Contains functionality to inject code into remote processes 11->148 21 gntuud.exe 29 11->21         started        150 Antivirus detection for dropped file 15->150 152 Multi AV Scanner detection for dropped file 15->152 154 Machine Learning detection for dropped file 15->154 156 4 other signatures 15->156 26 conhost.exe 17->26         started        signatures5 process6 dnsIp7 98 62.204.41.13 TNNET-ASTNNetOyMainnetworkFI United Kingdom 21->98 100 37.139.129.107 LVLT-10753US Germany 21->100 102 3 other IPs or domains 21->102 80 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 21->80 dropped 82 C:\Users\user\AppData\Roaming\...\stub.exe, PE32 21->82 dropped 84 C:\Users\user\AppData\Local\Temp\...behaviorgraphay.exe, PE32 21->84 dropped 86 4 other malicious files 21->86 dropped 128 Antivirus detection for dropped file 21->128 130 Creates an undocumented autostart registry key 21->130 132 Machine Learning detection for dropped file 21->132 134 Uses schtasks.exe or at.exe to add and modify task schedules 21->134 28 stub.exe 21->28         started        31 rundll32.exe 21->31         started        34 Gay.exe 21->34         started        36 3 other processes 21->36 file8 signatures9 process10 dnsIp11 158 Antivirus detection for dropped file 28->158 160 Multi AV Scanner detection for dropped file 28->160 162 Machine Learning detection for dropped file 28->162 176 4 other signatures 28->176 38 explorer.exe 28->38 injected 110 192.168.2.3 unknown unknown 31->110 164 System process connects to network (likely due to code injection or exploit) 31->164 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->166 168 Tries to steal Instant Messenger accounts or passwords 31->168 178 2 other signatures 31->178 170 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 34->170 172 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 34->172 43 Gay.exe 34->43         started        174 Uses ping.exe to check the status of other devices and networks 36->174 45 cmd.exe 36->45         started        47 cmd.exe 1 36->47         started        49 conhost.exe 36->49         started        51 7 other processes 36->51 signatures12 process13 dnsIp14 104 85.209.135.29 CMCSUS Germany 38->104 88 C:\Users\user\AppData\Roaming\isegggv, PE32 38->88 dropped 90 C:\Users\user\AppData\Local\Temp\FE0A.exe, PE32 38->90 dropped 142 System process connects to network (likely due to code injection or exploit) 38->142 144 Benign windows process drops PE files 38->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->146 53 FE0A.exe 38->53         started        57 PING.EXE 45->57         started        60 conhost.exe 45->60         started        62 powershell.exe 14 14 47->62         started        64 conhost.exe 47->64         started        file15 signatures16 process17 dnsIp18 78 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 53->78 dropped 124 Multi AV Scanner detection for dropped file 53->124 126 Machine Learning detection for dropped file 53->126 66 gntuud.exe 53->66         started        106 127.0.0.1 unknown unknown 57->106 108 195.123.211.56 ITL-LV Bulgaria 62->108 file19 signatures20 process21 dnsIp22 96 185.246.221.126 LVLT-10753US Germany 66->96 76 C:\Users\user\AppData\Roaming\...\stub.exe, PE32 66->76 dropped 120 Multi AV Scanner detection for dropped file 66->120 122 Machine Learning detection for dropped file 66->122 71 stub.exe 66->71         started        74 schtasks.exe 66->74         started        file23 signatures24 process25 signatures26 136 Antivirus detection for dropped file 71->136 138 Multi AV Scanner detection for dropped file 71->138 140 Machine Learning detection for dropped file 71->140
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 16:12:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c35ymcol64qogg3ykcqc7q5csunej36nv4nv7olacyhh2fph2aeq._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection spyware stealer trojan
Link:
https://tria.ge/reports/221212-tng2tsbg62/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
Malware Config
C2 Extraction:
62.204.41.13/gjend7w/index.php
Dropper Extraction:
https://e-hemsire.net/data/avatars/config_20.ps1
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76e51e40-1f4a-4768-95a5-952b5126a061
Unpacked files
SH256 hash:
16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009
MD5 hash:
94403f8fdc2f6aab27c4b847c3f7ec36
SHA1 hash:
4621477bd66e7a4c683fe33ce56783de656f7df3
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/41c72b03-ded9-4b72-8f6f-e274df486392/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2454971/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/345515/

Comments