MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365
SHA3-384 hash: eee60c35cfe4a3ae0d8c44a2566eef680b1c80937b5f932f1906fb81e667fe8c72a619f64f8988cf02475f90ea73d400
SHA1 hash: 9777a7ffac5e18b9b8b9a566a1be17f0ab1ab402
MD5 hash: 0607a527a8ef15720f3bee3a134d3e76
humanhash: early-alpha-venus-alanine
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:6'661'200 bytes
First seen:2023-12-21 19:45:34 UTC
Last seen:2023-12-21 21:18:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ea02e00483c90b3f210e2d517ab619a (14 x Amadey, 2 x CoinMiner)
ssdeep 196608:l1cMrm+eLFVlfqATlzu6TJDFqODrncCIexHIKfU:lzsLFVlxi6TZcOVIcZ
TLSH T15966334AC9071EC3C9BAB074F1635B8317DAFC98E03655C2D8DEB2485AF6D0AED06761
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon fcc4c8d2d2cce4dc (1 x Amadey)
Reporter jstrosch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-12-21 19:46:24 UTC
Tags:
amadey botnet stealer loader
Link:
https://app.any.run/tasks/826e905b-c0fd-42ca-b128-55a228b68843

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468872/
Detection(s):
SecuriteInfo.com.Trojan.Siggen22.47027.21671.17002.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmpress lolbin mpress overlay packed packed packed shell32 xpack
Link:
https://www.filescan.io/uploads/65849604b855eb3693ebf705/reports/18f8f351-e5b9-4059-8012-dca6c2958da1/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5cbb946a-81c7-470d-988e-fe5f96828e06
Result
Threat name:
Amadey, MicroClip, Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365815
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect virtual machines (IN, VMware)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected MicroClip
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365815 Sample: file.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 102 fr-zephyr.miningocean.org 2->102 124 Snort IDS alert for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 15 other signatures 2->130 12 file.exe 4 2->12         started        16 ma.exe 2->16         started        18 Utsysc.exe 2->18         started        20 8 other processes 2->20 signatures3 process4 file5 96 C:\Users\user\AppData\Local\...\Utsysc.exe, MS-DOS 12->96 dropped 158 Detected unpacking (changes PE section rights) 12->158 22 Utsysc.exe 2 25 12->22         started        160 Hijacks the control flow in another process 16->160 162 Writes to foreign memory regions 16->162 164 Allocates memory in foreign processes 16->164 166 2 other signatures 16->166 27 vbc.exe 16->27         started        29 schtasks.exe 16->29         started        signatures6 process7 dnsIp8 106 185.172.128.32, 49733, 80 NADYMSS-ASRU Russian Federation 22->106 108 185.172.128.5, 49731, 49732, 49734 NADYMSS-ASRU Russian Federation 22->108 88 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 22->88 dropped 90 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 22->90 dropped 92 C:\Users\user\AppData\Local\Temp\...\ma.exe, PE32+ 22->92 dropped 94 5 other malicious files 22->94 dropped 148 Multi AV Scanner detection for dropped file 22->148 150 Creates an undocumented autostart registry key 22->150 152 Creates multiple autostart registry keys 22->152 154 Uses schtasks.exe or at.exe to add and modify task schedules 22->154 31 ma.exe 22->31         started        35 cp.exe 4 22->35         started        37 rundll32.exe 22->37         started        41 2 other processes 22->41 156 Query firmware table information (likely to detect VMs) 27->156 39 conhost.exe 29->39         started        file9 signatures10 process11 file12 98 C:\ProgramData\...\OneDrive.exe, PE32+ 31->98 dropped 112 Multi AV Scanner detection for dropped file 31->112 114 Detected unpacking (changes PE section rights) 31->114 116 Contains functionality to detect hardware virtualization (CPUID execution measurement) 31->116 122 2 other signatures 31->122 43 cmd.exe 31->43         started        100 C:\ProgramData\pinterests\XRJNZC.exe, PE32 35->100 dropped 118 Found evasive API chain (may stop execution after checking mutex) 35->118 120 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 35->120 45 cmd.exe 1 35->45         started        47 rundll32.exe 21 37->47         started        50 conhost.exe 41->50         started        signatures13 process14 signatures15 52 OneDrive.exe 43->52         started        56 conhost.exe 43->56         started        58 timeout.exe 43->58         started        60 XRJNZC.exe 45->60         started        62 conhost.exe 45->62         started        64 timeout.exe 45->64         started        168 Tries to steal Instant Messenger accounts or passwords 47->168 170 Uses netsh to modify the Windows network and firewall settings 47->170 172 Tries to harvest and steal ftp login credentials 47->172 174 2 other signatures 47->174 66 netsh.exe 2 47->66         started        68 tar.exe 2 47->68         started        process16 dnsIp17 104 185.172.128.11 NADYMSS-ASRU Russian Federation 52->104 132 Multi AV Scanner detection for dropped file 52->132 134 Hijacks the control flow in another process 52->134 136 Tries to detect sandboxes and other dynamic analysis tools (window names) 52->136 142 7 other signatures 52->142 70 vbc.exe 52->70         started        74 cmd.exe 52->74         started        138 Found evasive API chain (may stop execution after checking mutex) 60->138 140 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 60->140 76 schtasks.exe 60->76         started        78 conhost.exe 66->78         started        80 conhost.exe 68->80         started        signatures18 process19 dnsIp20 110 fr-zephyr.miningocean.org 188.165.76.243 OVHFR France 70->110 144 Query firmware table information (likely to detect VMs) 70->144 146 Found strings related to Crypto-Mining 70->146 82 conhost.exe 74->82         started        84 schtasks.exe 74->84         started        86 conhost.exe 76->86         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=envriejb2x4hol4fx5efuztvcawiohrconf4xdzocfdyylmngnsq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:xmrig miner persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/231221-ygys8aebe3/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
Uses the VBS compiler for execution
VMProtect packed file
Blocklisted process makes network request
Downloads MZ/PE file
XMRig Miner payload
Amadey
xmrig
Malware Config
C2 Extraction:
http://185.172.128.5
Unpacked files
SH256 hash:
f73f53b322a785f8ee5c9cd3aa5302cdad3d29e4e23a3f7bc584bfce2b963e68
MD5 hash:
db1fac75e58db4b4c966e9bcb6c9e057
SHA1 hash:
2275f9febc6e088760a50ade921f43d4ba59b1cd
Detections:
win_amadey_bytecodes_oct_2023
Create hunting rule
win_amadey
Create hunting rule
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/f1b05c00-1cea-420e-ac59-8a4f4a226297/
SH256 hash:
236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365
MD5 hash:
0607a527a8ef15720f3bee3a134d3e76
SHA1 hash:
9777a7ffac5e18b9b8b9a566a1be17f0ab1ab402
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/f1b05c00-1cea-420e-ac59-8a4f4a226297/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 236b141121d5f8772f85bf485a6675102c871e22734bcb8f2e11478c2d8d3365

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2737075/
  
URLhaus
https://urlhaus.abuse.ch/url/2739361/
  
URLhaus
https://urlhaus.abuse.ch/url/2733669/
Cape
Cape
https://www.capesandbox.com/analysis/468872/

Comments