MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a
SHA3-384 hash: a683274d094bfa85bff39320ed79a4c720ec8857e17de3a6768a7c48ecb276e5f78a4e7f1b07a33ae691d8c13a34e56c
SHA1 hash: 062e3404b45f64e899492a48c61c0cf6f897f88f
MD5 hash: b2a3971887df35a0e25ebce1d88f255e
humanhash: stream-queen-mobile-carbon
File name:SecuriteInfo.com.Win32.Evo-gen.26431.15713
Download: download sample
Signature Amadey
Create hunting rule
File size:1'938'432 bytes
First seen:2024-05-30 13:24:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:sLCCYsi78rENoquOLR5QVWcNac46kUdhLtDY9PJgoJ:sL/s7WEq6R5Q4c66V+7gq
TLSH T174953322ED274ADBD885DE771F048CE917773A016CAEC7840644C6B7EB6774B3A214A3
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a.exe
Verdict:
Malicious activity
Analysis date:
2024-05-30 13:25:59 UTC
Tags:
amadey botnet stealer loader lumma redline meta metastealer stealc opendir berbew evasion
Link:
https://app.any.run/tasks/5f7c57f6-f660-4689-a87e-989f3afb3bff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.26431.15713.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66587e5520ad30d2876771e2win7simulatehigh_evasion
Tags:
Banker Network Stealth Crypt Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66587e35458fabe8a95d458b/reports/fb2c80f1-6514-4435-81dc-11a8481ba9c6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/01044624-bc33-482d-a001-f19146e6f90b
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Mars Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1449594
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disables UAC (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1449594 Sample: SecuriteInfo.com.Win32.Evo-... Startdate: 30/05/2024 Architecture: WINDOWS Score: 100 180 Found malware configuration 2->180 182 Malicious sample detected (through community Yara rule) 2->182 184 Antivirus detection for URL or domain 2->184 186 24 other signatures 2->186 10 SecuriteInfo.com.Win32.Evo-gen.26431.15713.exe 5 2->10         started        14 axplont.exe 2->14         started        16 axplont.exe 2->16         started        18 5 other processes 2->18 process3 dnsIp4 98 C:\Users\user\AppData\Local\...\axplont.exe, PE32 10->98 dropped 196 Detected unpacking (changes PE section rights) 10->196 198 Tries to evade debugger and weak emulator (self modifying code) 10->198 200 Tries to detect virtualization through RDTSC time measurements 10->200 202 Potentially malicious time measurement code found 10->202 21 axplont.exe 36 10->21         started        204 Hides threads from debuggers 14->204 206 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->206 208 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->208 112 20.190.159.64 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->112 114 184.28.90.27 AKAMAI-ASUS United States 18->114 116 2 other IPs or domains 18->116 26 WerFault.exe 18->26         started        28 WerFault.exe 18->28         started        30 WerFault.exe 18->30         started        file5 signatures6 process7 dnsIp8 120 185.172.128.19 NADYMSS-ASRU Russian Federation 21->120 122 147.45.47.70 FREE-NET-ASFREEnetEU Russian Federation 21->122 84 C:\Users\user\AppData\Local\...84ewoff.exe, PE32 21->84 dropped 86 C:\Users\user\AppData\Local\...\file300un.exe, PE32+ 21->86 dropped 88 C:\Users\user\AppData\Local\...\swizzzz.exe, PE32 21->88 dropped 90 11 other malicious files 21->90 dropped 188 Detected unpacking (changes PE section rights) 21->188 190 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->190 192 Creates HTML files with .exe extension (expired dropper behavior) 21->192 194 4 other signatures 21->194 32 file300un.exe 21->32         started        35 33333.exe 21->35         started        37 gold.exe 21->37         started        39 4 other processes 21->39 file9 signatures10 process11 dnsIp12 144 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->144 146 Writes to foreign memory regions 32->146 148 Allocates memory in foreign processes 32->148 162 2 other signatures 32->162 43 RegSvcs.exe 32->43         started        58 3 other processes 32->58 150 Found many strings related to Crypto-Wallets (likely being stolen) 35->150 152 Injects a PE file into a foreign processes 35->152 48 RegAsm.exe 4 35->48         started        50 WerFault.exe 35->50         started        154 LummaC encrypted strings found 37->154 52 RegAsm.exe 37->52         started        60 4 other processes 37->60 124 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 39->124 126 104.192.141.1 AMAZON-02US United States 39->126 128 52.217.14.132 AMAZON-02US United States 39->128 92 C:\Users\user\AppData\Local\Temp\eng.exe, PE32 39->92 dropped 94 C:\Users\user\AppData\Local\...\FirstZ.exe, PE32+ 39->94 dropped 96 C:\Users\user\AppData\Local\...\FirstZ[1].exe, PE32+ 39->96 dropped 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->156 158 Creates an undocumented autostart registry key 39->158 160 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->160 164 4 other signatures 39->164 54 RegAsm.exe 39->54         started        56 RegAsm.exe 39->56         started        62 3 other processes 39->62 file13 signatures14 process15 dnsIp16 142 12 other IPs or domains 43->142 100 C:\Users\...\wN0AcoSaSbTjGwieyASUFjWT.exe, PE32+ 43->100 dropped 102 C:\Users\...\njNct59sRVpqwf5Sm8lETfHG.exe, PE32+ 43->102 dropped 104 C:\Users\...\n3s1Lw7rc2mpeDtt2TYLzDit.exe, PE32+ 43->104 dropped 110 61 other malicious files 43->110 dropped 210 Creates HTML files with .exe extension (expired dropper behavior) 43->210 64 9z50KyfYwPajVXwSJZmnY7KW.exe 43->64         started        106 C:\Users\user\AppData\Roaming\...\svhoost.exe, PE32 48->106 dropped 108 C:\Users\user\AppData\Roaming\...\One.exe, PE32 48->108 dropped 67 svhoost.exe 6 24 48->67         started        70 One.exe 4 48->70         started        130 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->130 132 104.21.76.102 CLOUDFLARENETUS United States 52->132 212 Query firmware table information (likely to detect VMs) 52->212 214 Tries to harvest and steal ftp login credentials 52->214 216 Tries to harvest and steal browser information (history, passwords, etc) 52->216 134 188.114.97.3 CLOUDFLARENETUS European Union 54->134 218 Found many strings related to Crypto-Wallets (likely being stolen) 54->218 220 Tries to steal Crypto Currency Wallets 54->220 136 23.88.106.134 ENZUINC-US United States 56->136 222 Tries to harvest and steal Bitcoin Wallet information 56->222 72 cmd.exe 56->72         started        138 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 58->138 224 Installs new ROOT certificates 58->224 226 Loading BitLocker PowerShell Module 58->226 74 conhost.exe 58->74         started        140 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->140 76 conhost.exe 62->76         started        file17 signatures18 process19 dnsIp20 166 Found direct / indirect Syscall (likely to bypass EDR) 64->166 118 185.172.128.33 NADYMSS-ASRU Russian Federation 67->118 168 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 67->168 170 Installs new ROOT certificates 67->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 67->172 178 2 other signatures 67->178 174 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 70->174 176 Reads the System eventlog 70->176 78 conhost.exe 70->78         started        80 conhost.exe 72->80         started        82 timeout.exe 72->82         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-30 11:35:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ett4rtvawv4h32hzfluxvd2qyhpf3iheicv6qs4wk7immlj6kgfa._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:privateloader family:redline family:xmrig botnet:1 botnet:49e482 bootkit discovery evasion execution infostealer loader miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/240530-qnyg2abb78/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Modifies firewall policy service
PrivateLoader
RedLine
RedLine payload
UAC bypass
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://147.45.47.70
185.215.113.67:40960
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e33fe09-3ebb-4631-a01e-ca175294b6c8
Unpacked files
SH256 hash:
dcc295d2294eea0495251a9576a0946960d6aa67e8a2345486f776b1702379e7
MD5 hash:
7deb94917a0be5df1dfd8a3955532486
SHA1 hash:
9a9ab151097380864a7ef43230d5defd0de2f8c3
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/27037d20-cf8f-4501-99b8-d52560181a1d/
SH256 hash:
24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a
MD5 hash:
b2a3971887df35a0e25ebce1d88f255e
SHA1 hash:
062e3404b45f64e899492a48c61c0cf6f897f88f
Link:
https://www.unpac.me/results/27037d20-cf8f-4501-99b8-d52560181a1d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24e7c8cea0b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 24e7c8cea0b5787de8f92ae97a8f50c1de5da0e440abe84b9657d0c62d3e518a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2869029/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2869064/
  
URLhaus
https://urlhaus.abuse.ch/url/2869086/
  
URLhaus
https://urlhaus.abuse.ch/url/2869093/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments