MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46
SHA3-384 hash: 1d84a3d32b77762c555903408c7685fcf801a729f6bd964aba948690fd218f707e1b63511829c6e7d479f425b0b647c6
SHA1 hash: 5ca03199a0db7465ca7fb92d2d48642f4f981d17
MD5 hash: 56dfbe78d5e7f1c1156a8dae8672a3e5
humanhash: alanine-spring-colorado-missouri
File name:56dfbe78d5e7f1c1156a8dae8672a3e5
Download: download sample
Signature Amadey
Create hunting rule
File size:378'880 bytes
First seen:2021-12-01 14:52:34 UTC
Last seen:2021-12-01 16:36:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6777c2daa60f6bf0e60c4c794f841432 (1 x ArkeiStealer, 1 x RaccoonStealer, 1 x Amadey)
ssdeep 6144:oRlpGL1znefJnJ7LeG5Rn+MaVDqa1Z/ApUeI8B7Q2Q:alpWzefjeGHn+MaVDqa4pUeIOQ
Threatray 191 similar samples on MalwareBazaar
TLSH T10D84AE10AAA0D035F1F312F85AB593B8693E3EA16B7490CF22D516EA5775AE1EC30317
File icon (PE):PE icon
dhash icon b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
56dfbe78d5e7f1c1156a8dae8672a3e5
Verdict:
Malicious activity
Analysis date:
2021-12-01 14:57:14 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/27c692ab-302e-4fac-a015-f94fb0446f92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210355/
Detection(s):
SecuriteInfo.com.Variant.Ulise.326483.3527.2560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Creating a window
Delayed reading of the file
Query of malicious DNS domain
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/447/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a78c51f9d950eb11b5a33f/reports/7bbb3925-bf99-4e99-b4b7-6e8a1619e9c5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06ee7edc-fd05-45fe-87b8-bd45a66c96df
Result
Threat name:
Amadey RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899537
Signature
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Posts data to a JPG file (protocol mismatch)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532036 Sample: HAj2cZvmU6 Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 9 other signatures 2->78 8 HAj2cZvmU6.exe 4 2->8         started        12 tkools.exe 2->12         started        14 tkools.exe 2->14         started        process3 file4 62 C:\Users\user\AppData\Local\...\tkools.exe, PE32 8->62 dropped 88 Detected unpacking (changes PE section rights) 8->88 90 Detected unpacking (overwrites its own PE header) 8->90 92 Contains functionality to inject code into remote processes 8->92 16 tkools.exe 16 8->16         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        25 2 other processes 8->25 signatures5 process6 dnsIp7 64 185.215.113.35, 49753, 49754, 49759 WHOLESALECONNECTIONSNL Portugal 16->64 66 ke.ckauni.ru 81.177.141.85, 443, 49755, 49756 RTCOMM-ASRU Russian Federation 16->66 68 2 other IPs or domains 16->68 58 CrinkliesScampers_...-12-01_15-36[1].exe, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\...\batl[1].exe, MS-DOS 16->60 dropped 80 Multi AV Scanner detection for dropped file 16->80 82 Detected unpacking (changes PE section rights) 16->82 84 Detected unpacking (overwrites its own PE header) 16->84 86 5 other signatures 16->86 27 tkools.exe 5 16->27         started        31 cmd.exe 1 16->31         started        33 tkools.exe 16->33         started        35 schtasks.exe 1 16->35         started        37 conhost.exe 21->37         started        41 2 other processes 21->41 43 3 other processes 23->43 39 conhost.exe 25->39         started        45 3 other processes 25->45 file8 signatures9 process10 dnsIp11 70 95.143.179.152 RHTEC-ASrh-tecIPBackboneDE Russian Federation 27->70 94 Tries to harvest and steal browser information (history, passwords, etc) 27->94 96 Tries to steal Crypto Currency Wallets 27->96 47 reg.exe 1 31->47         started        50 conhost.exe 31->50         started        52 WerFault.exe 33->52         started        54 WerFault.exe 33->54         started        56 conhost.exe 35->56         started        signatures12 process13 signatures14 98 Creates an undocumented autostart registry key 47->98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 14:45:38 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eubjrik4uxsac4fb724omonrfo6vsgser2574w6hk5fbkmsznrda._file
Verdict:
malicious
Similar samples:
4194b8d83f6a72469c75a45c7fcfae079989a6883c9dd7dc124d800c57f6fe54
Amadey
4db35ea029c5e2d5073018bed89c24b0c4e54b831ff6d5ddf0e370b6289d3631
Amadey
72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5
Amadey
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112
Amadey
9820500aae4c3b3b5ab38a63f9776a75cfb2203a20798682207aee9e6526aba8
Amadey
c394d2204e02ef3a37d2760d04aa64819fcf7bb5186764e5a48f052379b3a10c
Amadey
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e
Amadey
ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2
Amadey
+ 181 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:mix 01.12 discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211201-r9a5asdahj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Amadey
RedLine
RedLine Payload
suricata: ET MALWARE Amadey CnC Check-In
Malware Config
C2 Extraction:
185.215.113.35/d2VxjasuwS/index.php
95.143.179.152:42556
Unpacked files
SH256 hash:
87c233cf81a1be07342c1f67dc40b71c95d39249674eac0fdfdf631754a9de42
MD5 hash:
39236aec7824a8f4fab52ac2ba318770
SHA1 hash:
70cb4c5092d786f9ba121a1d66dd6c3d4e732e9b
Link:
https://www.unpac.me/results/2504eb75-b154-4419-b632-ede0b69f60f2/
SH256 hash:
250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46
MD5 hash:
56dfbe78d5e7f1c1156a8dae8672a3e5
SHA1 hash:
5ca03199a0db7465ca7fb92d2d48642f4f981d17
Link:
https://www.unpac.me/results/2504eb75-b154-4419-b632-ede0b69f60f2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/250298a15ca5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1841987/
Cape
Cape
https://www.capesandbox.com/analysis/210355/

Comments


Avatar
zbet commented on 2021-12-01 14:52:35 UTC

url : hxxp://host-file-host-3.com/files/5298_1638362460_3072.exe