MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb
SHA3-384 hash: 18d22cde92be20d7bb25c20a83921d18c48fc62f1748f2f2d314b8bcb6d84c7f6f2a0ea0f0787a620a5693b03e985f39
SHA1 hash: ad384d731162250141ef02196ebb970dd89adbe9
MD5 hash: 6ced085779b2d439cab6d085699b195a
humanhash: monkey-india-illinois-don
File name:23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb
Download: download sample
Signature Amadey
Create hunting rule
File size:3'189'760 bytes
First seen:2024-12-12 13:23:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:LI7DZzEXJTzJDkmk+xQJAwOp9ZeDv2rHIZxarB/RD6z8xmCilaC7At2p01Lp1kC3:5pr+DuDIeNgdPyXUdSqAha1K25
TLSH T1ABE54CB16B0472CBE88DB6F44927DF825A5D03B90B21C8D3985C66F97D6BCC115BAC38
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:Amadey exe immureprech-biz

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb
Verdict:
Malicious activity
Analysis date:
2024-12-12 13:30:53 UTC
Tags:
amadey botnet stealer loader gcleaner themida
Link:
https://app.any.run/tasks/9c982d7e-9c6a-41e1-80ff-039698e15929

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader47.57462.13167.30320.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675ae5c3e19061cac7efb467
Tags:
shellcode autorun virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/675ae4073ca6a7f38eb831ef/reports/e8cf568a-d7b9-4a05-928b-e7e6bcf0ccde/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5bdb68b5-b544-4e8a-a871-877d1b1d6e56
Result
Threat name:
Amadey, LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1573703
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers system information via systeminfo
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Copy itself to suspicious location via type command
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573703 Sample: yiDQb6GkBq.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 88 yqqeqcygyguuwwkk.xyz 2->88 90 yqgckwiqkcgeygak.xyz 2->90 92 65 other IPs or domains 2->92 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 126 17 other signatures 2->126 9 skotes.exe 37 2->9         started        14 yiDQb6GkBq.exe 5 2->14         started        16 skotes.exe 2->16         started        18 M5iFR20.exe 2->18         started        signatures3 124 Performs DNS queries to domains with low reputation 90->124 process4 dnsIp5 100 185.215.113.43, 49747, 49753, 49773 WHOLESALECONNECTIONSNL Portugal 9->100 102 185.215.113.16, 49907, 49928, 80 WHOLESALECONNECTIONSNL Portugal 9->102 104 31.41.244.11, 49758, 49775, 49801 AEROEXPRESS-ASRU Russian Federation 9->104 76 C:\Users\user\AppData\...\95025a00c8.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\0685f09fda.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\5799e5ec40.exe, PE32 9->80 dropped 86 12 other malicious files 9->86 dropped 158 Hides threads from debuggers 9->158 160 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->160 162 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->162 20 M5iFR20.exe 9->20         started        23 87538ab999.exe 9->23         started        25 5799e5ec40.exe 9->25         started        32 5 other processes 9->32 82 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->82 dropped 84 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->84 dropped 164 Detected unpacking (changes PE section rights) 14->164 166 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->166 168 Tries to evade debugger and weak emulator (self modifying code) 14->168 170 Tries to detect virtualization through RDTSC time measurements 14->170 28 skotes.exe 14->28         started        172 Binary is likely a compiled AutoIt script file 18->172 174 Gathers system information via systeminfo 18->174 30 cmd.exe 18->30         started        file6 signatures7 process8 dnsIp9 128 Multi AV Scanner detection for dropped file 20->128 130 Binary is likely a compiled AutoIt script file 20->130 132 Machine Learning detection for dropped file 20->132 134 Gathers system information via systeminfo 20->134 34 cmd.exe 2 20->34         started        37 curl.exe 1 20->37         started        40 cmd.exe 20->40         started        51 7 other processes 20->51 136 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->136 148 2 other signatures 23->148 106 grahm.xyz 116.203.10.31, 443, 49885, 49898 HETZNER-ASDE Germany 25->106 108 t.me 149.154.167.99, 443, 49877 TELEGRAMRU United Kingdom 25->108 138 Detected unpacking (overwrites its own PE header) 25->138 140 Found many strings related to Crypto-Wallets (likely being stolen) 25->140 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->142 144 Antivirus detection for dropped file 28->144 146 Detected unpacking (changes PE section rights) 28->146 150 3 other signatures 28->150 53 3 other processes 30->53 152 2 other signatures 32->152 43 6f79b29ee1.exe 32->43         started        45 c7017f8470.exe 32->45         started        47 conhost.exe 32->47         started        49 conhost.exe 32->49         started        signatures10 process11 dnsIp12 110 Drops PE files to the startup folder 34->110 55 systeminfo.exe 2 1 34->55         started        58 conhost.exe 34->58         started        60 tasklist.exe 1 34->60         started        94 peerhost59mj7i6macla65r.com 94.154.172.218, 443, 49796, 49805 LVLT-10753US Germany 37->94 96 127.0.0.1 unknown unknown 37->96 62 conhost.exe 37->62         started        74 C:\Users\user\AppData\Roaming\...\M5iFR20.exe, PE32 40->74 dropped 64 conhost.exe 40->64         started        112 Found many strings related to Crypto-Wallets (likely being stolen) 43->112 114 Tries to harvest and steal browser information (history, passwords, etc) 43->114 116 Tries to steal Crypto Currency Wallets 43->116 98 drive-connect.cyou 104.21.79.7, 443, 49781, 49788 CLOUDFLARENETUS United States 45->98 66 conhost.exe 51->66         started        68 conhost.exe 51->68         started        70 conhost.exe 51->70         started        72 4 other processes 51->72 file13 signatures14 process15 signatures16 154 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 55->154 156 Writes or reads registry keys via WMI 55->156
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-12-11 15:59:46 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eorwhaiolvtmmigva2nle3vumjpithf3fp2njgly4fmcvyia2xvq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:lumma family:stealc botnet:9c9aa5 botnet:stok credential_access discovery evasion loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/241212-qndsmavqas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Windows security modification
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.43
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af900ff4-6ad6-45ad-9022-cb4853fd743e
Unpacked files
SH256 hash:
dcd2ca4148610b3f9e1300a2d6d507656c8b1b98fa0d9b1bb3d19cb4cb0608f3
MD5 hash:
e4aa59a031bcf4d66f0ea1d440743bd2
SHA1 hash:
c1a3817e6244450c22733ab61fd39aaf6a9c2bcc
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/d53f2e8d-f30b-401f-b57f-c47220caa94d/
SH256 hash:
23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb
MD5 hash:
6ced085779b2d439cab6d085699b195a
SHA1 hash:
ad384d731162250141ef02196ebb970dd89adbe9
Link:
https://www.unpac.me/results/d53f2e8d-f30b-401f-b57f-c47220caa94d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 23a363810e5d66c620d5069ab26eb4625e899cbb2bf4d49978e1582ae100d5eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3072521/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments