MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
SHA3-384 hash: 014d1e490bb7b3d1e5637bde0068b11d78fc90341e1e8788e3584b62839802e439847e956d3f5a2fe7f0f46b08387bb7
SHA1 hash: 8bae22ddabade96489ebb34770746f2689ae4b96
MD5 hash: 5f8fed8ed4d54bad01996a24518ac017
humanhash: florida-jig-ink-mango
File name:5f8fed8ed4d54bad01996a24518ac017
Download: download sample
Signature Amadey
Create hunting rule
File size:1'171'968 bytes
First seen:2023-10-15 20:20:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:HyrlV7kTMzMcseMjC2mEAhWYJFfEKLsg1RyHTeKKxj3:Srl9kTtcseMjLHV6fEMsg10yKi
Threatray 1'310 similar samples on MalwareBazaar
TLSH T142452395B2E8446AC87617315CF357A3173AFCA04A38D72F3741B68A0CB278499763B7
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
5f8fed8ed4d54bad01996a24518ac017
Verdict:
Malicious activity
Analysis date:
2023-10-15 20:23:35 UTC
Tags:
stealc stealer sinkhole redline
Link:
https://app.any.run/tasks/3bd3657b-1c05-42f5-88a6-dd9980823077

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454609/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Modifying a system executable file
Delayed writing of the file
Launching a process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file
Reading critical registry keys
Searching for the window
Launching cmd.exe command interpreter
Creating a window
Stealing user critical data
Unauthorized injection to a recently created process
Infecting executable files
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/652c49afc51de9263e5abcad/reports/15c20461-381e-47b6-a6b6-99a87ce1264d/overview
Verdict:
Malicious
Labled as:
Kryptik.JKR.gen
Link:
https://www.hybrid-analysis.com/sample/1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1672c75-3a2d-4552-a60f-47297ab6e04b
Result
Threat name:
Amadey, Babadeda, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326003
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1326003 Sample: gY3WhhnC7S.exe Startdate: 15/10/2023 Architecture: WINDOWS Score: 100 143 Snort IDS alert for network traffic 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 12 other signatures 2->149 13 gY3WhhnC7S.exe 1 4 2->13         started        16 0xvwBZ7rbkihXMN.exe 2->16         started        19 rundll32.exe 2->19         started        21 2 other processes 2->21 process3 file4 91 C:\Users\user\AppData\Local\...\kE5GE8xw.exe, PE32 13->91 dropped 93 C:\Users\user\AppData\Local\...\6Kf44td.exe, PE32 13->93 dropped 23 kE5GE8xw.exe 1 4 13->23         started        103 Tries to harvest and steal browser information (history, passwords, etc) 16->103 signatures5 process6 file7 77 C:\Users\user\AppData\Local\...\vt7Zn4nh.exe, PE32 23->77 dropped 79 C:\Users\user\AppData\Local\...\5zh27VA.exe, PE32 23->79 dropped 157 Antivirus detection for dropped file 23->157 159 Multi AV Scanner detection for dropped file 23->159 161 Machine Learning detection for dropped file 23->161 27 vt7Zn4nh.exe 1 4 23->27         started        signatures8 process9 file10 87 C:\Users\user\AppData\Local\...\vr5ZT1PX.exe, PE32 27->87 dropped 89 C:\Users\user\AppData\Local\...\4Va282dB.exe, PE32 27->89 dropped 171 Antivirus detection for dropped file 27->171 173 Multi AV Scanner detection for dropped file 27->173 175 Machine Learning detection for dropped file 27->175 31 vr5ZT1PX.exe 1 4 27->31         started        35 4Va282dB.exe 27->35         started        signatures11 process12 file13 95 C:\Users\user\AppData\Local\...\qL1kM3NV.exe, PE32 31->95 dropped 97 C:\Users\user\AppData\Local\...\3JY1aX68.exe, PE32 31->97 dropped 105 Antivirus detection for dropped file 31->105 107 Multi AV Scanner detection for dropped file 31->107 109 Machine Learning detection for dropped file 31->109 37 qL1kM3NV.exe 1 4 31->37         started        41 3JY1aX68.exe 31->41         started        111 Writes to foreign memory regions 35->111 113 Allocates memory in foreign processes 35->113 115 Injects a PE file into a foreign processes 35->115 43 conhost.exe 35->43         started        45 AppLaunch.exe 35->45         started        47 WerFault.exe 35->47         started        signatures14 process15 file16 73 C:\Users\user\AppData\Local\...\2iB361bu.exe, PE32 37->73 dropped 75 C:\Users\user\AppData\Local\...\1Te37vS3.exe, PE32 37->75 dropped 151 Antivirus detection for dropped file 37->151 153 Machine Learning detection for dropped file 37->153 49 1Te37vS3.exe 1 37->49         started        52 2iB361bu.exe 4 37->52         started        155 Multi AV Scanner detection for dropped file 41->155 signatures17 process18 dnsIp19 127 Contains functionality to inject code into remote processes 49->127 129 Writes to foreign memory regions 49->129 131 Allocates memory in foreign processes 49->131 133 Injects a PE file into a foreign processes 49->133 55 AppLaunch.exe 21 49->55         started        60 WerFault.exe 21 16 49->60         started        62 conhost.exe 49->62         started        99 77.91.124.55, 19071, 49747, 49749 ECOTEL-ASRU Russian Federation 52->99 135 Antivirus detection for dropped file 52->135 137 Multi AV Scanner detection for dropped file 52->137 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->139 141 2 other signatures 52->141 signatures20 process21 dnsIp22 101 5.42.92.88, 49744, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 55->101 81 C:\Users\user\AppData\...\0xvwBZ7rbkihXMN.exe, PE32 55->81 dropped 83 C:\Users\user\AppData\...\gxh1zkPpn3Hkv7jS, SQLite 55->83 dropped 85 C:\Users\user\...\gxh1zkPpn3Hkv7jS.dll, PE32 55->85 dropped 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->163 165 Found many strings related to Crypto-Wallets (likely being stolen) 55->165 167 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 55->167 169 3 other signatures 55->169 64 0xvwBZ7rbkihXMN.exe 55->64         started        67 cmd.exe 55->67         started        file23 signatures24 process25 signatures26 117 Multi AV Scanner detection for dropped file 64->117 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->119 121 Machine Learning detection for dropped file 64->121 123 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 64->123 125 Uses schtasks.exe or at.exe to add and modify task schedules 67->125 69 conhost.exe 67->69         started        71 schtasks.exe 67->71         started        process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-15 20:21:05 UTC
File Type:
PE (Exe)
Extracted files:
193
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d7x7ekg7wl3px6bktdow5vf67gicx4pg7zwca66amr7eoxvvic2a._file
Verdict:
malicious
Similar samples:
12fb005f8400051a07486a0b93e1429ec4db0ac2575d9eb1630e7d804813d60f
Amadey
26c8b7f5d0f9a0138e5ac0cd5b9d7c4ab9e9e16fbaa221117d7bf6464e85eb69
Amadey
2dd12ba5ec9cefe83d3d75f694fcb042e38bfa2497f7faab35925f502aa01200
Amadey
3c06b888fa64e1994ad92bda806599ea9cc2af64aaa33f7f77ba9f3e6f29c811
Amadey
40e6462c4b45d7f081b00cdcd7c8106ee6fa786e4c06bcbaae181b19e20a994b
Amadey
6914377ccb1e95eb5708d111909e5e3616f465303e246f5590a6d9d4b891089f
Amadey
d69958c38bd04cd3b71d6e43032fb8466ffc5f7cf90d524120bfd23f9337cc8e
Amadey
df005f88813d478d60f63d568c2dca197caa651e737408f1bc0a929ef9fccf86
Amadey
ebb1f2b70c5a940af8c3d6065d3b1022d40f5cd48f3b5f88a9e41bdf35e20745
Amadey
fcf8b3334a4c5863aa1006ca4674c344f1f39c2ca19a010722671494c14e985b
Amadey
+ 1'300 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kukish infostealer persistence
Link:
https://tria.ge/reports/231015-y4zc9scb73/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
c359cad2d4b0cb214d0e84d78cc648637cb3f09e3ac774b97d1b50175752706e
MD5 hash:
2da2d4908005e48f676c9b1310aca54c
SHA1 hash:
964698d411f778c036fe13913e915d641b2908e8
Link:
https://www.unpac.me/results/2fdd84bc-8277-49bc-b019-8e3e2d4c84db/
SH256 hash:
89e08cf4af85b8f761078c830a50a2710c5bba96611e854743c3d5f3eac3436a
MD5 hash:
e179fc24031360ff9638f4a90e6477fb
SHA1 hash:
4eef3044d91cc57f822a8db0d152a4afc30ea3d5
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2fdd84bc-8277-49bc-b019-8e3e2d4c84db/
Parent samples :
1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
f6ecf026ba3bfb6c5221d65a255a5bd2cc0dc8a8d7373a0dcaef5499ee6b534a
34f2caa08c72909033efcf3848fda6766b679d99545193dfcd23301a838a3181
SH256 hash:
043dfc2d4ba2ec7fd8b2284479d464d19448b485bf2bdac37879caa7c035d195
MD5 hash:
f15f42e5c943c317471ef97df7251c64
SHA1 hash:
edc8e04d9ec093f16fdb89bbdb0e5873ab3f6da0
Link:
https://www.unpac.me/results/2fdd84bc-8277-49bc-b019-8e3e2d4c84db/
SH256 hash:
6bd7e9cf04c05a42195aacae7662c5c50a32c1d398624ae459fa8d6668cb78e4
MD5 hash:
12c0ce8cedb380b31d98241d9d4e694b
SHA1 hash:
212f38ae14f16dd7ef0a2df851ec1bc8fcb3b514
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/2fdd84bc-8277-49bc-b019-8e3e2d4c84db/
SH256 hash:
65902e7364d26f4d55cbf043656218949de732a510a1fc9856ee85e12803746a
MD5 hash:
ab30d0efffc6caf14c0cf18a99c74cad
SHA1 hash:
500ef5879105743e49fc12ecf61a3e588fc3178a
Link:
https://www.unpac.me/results/2fdd84bc-8277-49bc-b019-8e3e2d4c84db/
SH256 hash:
1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4
MD5 hash:
5f8fed8ed4d54bad01996a24518ac017
SHA1 hash:
8bae22ddabade96489ebb34770746f2689ae4b96
Link:
https://www.unpac.me/results/2fdd84bc-8277-49bc-b019-8e3e2d4c84db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 1feff228dfb2f6fbf82a98dd6ed4bef9902bf1e6fe6c207bc0647e475eb540b4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/454609/

Comments


Avatar
zbet commented on 2023-10-15 20:20:43 UTC

url : hxxp://77.91.68.52/fuza/foto2552.exe