MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 14

Intelligence 14 IOCs YARA 16 File information Comments

SHA256 hash:	1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6
SHA3-384 hash:	b24da1ccea712518a233e46f678fa5dd3b21971f3120514a150f8dc245ed533e84527523fb93a860174fc68a3ce34748
SHA1 hash:	094f6be77d2c99d5f2ef34565d10e01891e87656
MD5 hash:	2e286885f013038736e0b1c155c5d2b9
humanhash:	ohio-quebec-minnesota-autumn
File name:	file
Download:	download sample
Signature	Amadey Create hunting rule
File size:	5'151'040 bytes
First seen:	2024-02-07 13:45:56 UTC
Last seen:	2024-02-07 15:41:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	49152:rmFl50gd3snsqrVfzeHaa9YsBUxdj46QG1ZKR2xgxeKOG3HK+v4AZhk+LVK5r9Ip:rmFl50gdvu6XBU/U6/K8OxN3Kih3yaHf
Threatray	148 similar samples on MalwareBazaar
TLSH	T19136BF57B6958D33F36D2733E6E6C00843BDE95357F1EB0B2692216814A23698C82F77
TrID	44.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 34.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 6.3% (.EXE) Win64 Executable (generic) (10523/12/4) 3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	cadbe3c9a5b3e270 (1 x Amadey)
Reporter	jstrosch
Tags:	.NET Amadey exe MSIL

jstrosch

Found at hxxp://185.172.128[.]32/ama.exe by #subcrawl

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

Vendor Threat Intelligence

Detection:

Amadey

Link:

https://www.capesandbox.com/analysis/475153/

Detection(s):

SecuriteInfo.com.Trojan.Siggen25.48283.20968.18013.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto explorer hacktool lolbin overlay packed packed regsvcs

Link:

https://www.filescan.io/uploads/65c389aa2cb3f19023f41dbe/reports/b647857f-957b-446a-a68c-b0a11df9bddc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2a612bd4-d612-4536-a132-b6f8c58526ec

Result

Threat name:

Amadey, PureLog Stealer, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1388355

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found evasive API chain checking for user administrative privileges

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Snort IDS alert for network traffic

Suspicious powershell command line found

Writes to foreign memory regions

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6/

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2024-02-07 08:30:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

126

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=duhzjnfuvcaq3bdrshiwon4wyzd4vtchauluxvhl2ooxomlyopta._file

Verdict:

malicious

Amadey

1a5c7660734a21cca0291598a5f887bb54d0708ec7335ec9f7602b796e021773

Amadey

36a30e606017f573e19072778619ee90c3f20a58d3a428beca5d5da742936e28

Amadey

5d905533d8e256b512b055c2cd67ea481307b83a9c4e10cb5ae1999eafb36586

Amadey

784468b404f0132cf74488744453d6ad499c5cbf618c526796f606c1a7edd3c8

Amadey

cb80f3f8dbdf12c6929acd19d547b1c0278e7b71a4e2bcf232a7776cf1c287df

Amadey

+ 138 additional samples on MalwareBazaar

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey persistence trojan

Link:

https://tria.ge/reports/240207-q2y1qahcc8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Launches sc.exe

Suspicious use of SetThreadContext

Adds Run key to start application

.NET Reactor proctector

Drops startup file

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Amadey

Malware Config

C2 Extraction:

http://185.172.128.63

Unpacked files

SH256 hash:

9f614eb937f7db8f4ee1b13a5efb9503eec4d63180b5026f7563639c22969e3e

MD5 hash:

9ef573f9fe0ce60e0ad5c3fdedb1f6d0

SHA1 hash:

17dd95e43f5602109ec47192bab57744812f61da

Detections:

win_amadey_auto

win_amadey

Link:

https://www.unpac.me/results/0697a109-1f35-493f-8e9f-dd09ae39b0d4/

Parent samples :

4098768512e0290686ce227b5f60f597b47467cc5dff2f06651d4a7c0a80caa2
4f7d0800c59a3214c012ff3be7120e1a275ceb70e24530789633eb95a93b54d8
1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6

SH256 hash:

1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6

MD5 hash:

2e286885f013038736e0b1c155c5d2b9

SHA1 hash:

094f6be77d2c99d5f2ef34565d10e01891e87656

Detections:

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/0697a109-1f35-493f-8e9f-dd09ae39b0d4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1d0f94b4b4a8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Amadey

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Amadey Create hunting rule
Author:	kevoreilly
Description:	Amadey Payload

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	win_amadey_a9f4 Create hunting rule
Author:	Johannes Bader
Description:	matches unpacked Amadey samples

Rule name:	win_amadey_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.amadey.

Rule name:	win_amadey_bytecodes_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe 1d0f94b4b4a8810d847191d1673796c647cacc4705174bd4ebd39d77317873e6

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2737075/

URLhaus

https://urlhaus.abuse.ch/url/2744395/

URLhaus

https://urlhaus.abuse.ch/url/2739361/

URLhaus

https://urlhaus.abuse.ch/url/2733669/

Cape

https://www.capesandbox.com/analysis/475153/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample