MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf
SHA3-384 hash: ad73428c4cf015bb819ca449e005c9aee5117e8c69a056670cb3938990303924d0881cfd7cf0049e52702664b7fc4701
SHA1 hash: 9d2240f0fa9e19c8bb895d9133080dc4de01916e
MD5 hash: df908a98e22ff86d79dfa9a05ed99101
humanhash: utah-grey-sweet-berlin
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'942'528 bytes
First seen:2024-08-15 04:06:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:aoI6Ot0ICks7luVhOR4FNZSktvnC/pfoF8+SII+YUWugpSXgk3g:aoxOGkWlu4WNZSk0/pfE8qIXuwfw
TLSH T1DA95334A51E9307BE2FED7F54D42568BBCD1107396261C0AF40ADBA46CF3A51278F2CA
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-15 04:09:35 UTC
Tags:
amadey botnet stealer loader metastealer redline stealc themida cryptbot lumma
Link:
https://app.any.run/tasks/b4e9f338-df4e-4c27-be5a-defbd4b048a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.31657.5524.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66bd7ee7aa5b40be0aa03852
Tags:
Execution Generic Infostealer Network Stealth
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66bd7ee7b70f08db50c68661/reports/8c6f56ac-5aa3-4fe8-b680-e8e8a8e57876/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/38e5db63-8aba-43b7-9c47-f11de86eda09
Result
Threat name:
Amadey, PureLog Stealer, RedLine, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1493202
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Forfiles.EXE Child Process Masquerading
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1493202 Sample: file.exe Startdate: 15/08/2024 Architecture: WINDOWS Score: 100 136 jSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDRe 2->136 138 ysYYxpNGjGvjPGjztDBQGphraIQu.ysYYxpNGjGvjPGjztDBQGphraIQu 2->138 140 2 other IPs or domains 2->140 156 Multi AV Scanner detection for domain / URL 2->156 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 30 other signatures 2->162 11 axplong.exe 48 2->11         started        16 file.exe 5 2->16         started        18 axplong.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 150 185.215.113.16, 49737, 49738, 49740 WHOLESALECONNECTIONSNL Portugal 11->150 152 185.196.11.123, 49741, 49744, 49752 SIMPLECARRIERCH Switzerland 11->152 122 C:\Users\user\AppData\Local\...\MePaxil.exe, PE32 11->122 dropped 124 C:\Users\user\AppData\Local\...\14082024.exe, PE32 11->124 dropped 126 C:\Users\user\AppData\Local\...\runtime.exe, PE32 11->126 dropped 132 20 other malicious files 11->132 dropped 228 Hides threads from debuggers 11->228 230 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->230 232 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 11->232 22 rorukal.exe 11->22         started        26 stealc_default.exe 11->26         started        29 GOLD.exe 1 11->29         started        33 4 other processes 11->33 128 C:\Users\user\AppData\Local\...\axplong.exe, PE32 16->128 dropped 130 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 16->130 dropped 234 Detected unpacking (changes PE section rights) 16->234 236 Tries to evade debugger and weak emulator (self modifying code) 16->236 238 Tries to detect virtualization through RDTSC time measurements 16->238 31 axplong.exe 16->31         started        154 stagingbyvdveen.com 147.45.60.44, 49749, 80 FREE-NET-ASFREEnetEU Russian Federation 20->154 240 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->240 file6 signatures7 process8 dnsIp9 98 C:\ProgramData\Microsoft\Windows\...\cmd.exe, PE32 22->98 dropped 100 C:\ProgramData\Microsoft\...\forfiles.exe, PE32+ 22->100 dropped 192 Multi AV Scanner detection for dropped file 22->192 194 Detected unpacking (changes PE section rights) 22->194 210 2 other signatures 22->210 35 forfiles.exe 22->35         started        146 185.215.113.17, 49748, 80 WHOLESALECONNECTIONSNL Portugal 26->146 102 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->102 dropped 104 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->104 dropped 106 C:\Users\user\AppData\...\mozglue[1].dll, PE32 26->106 dropped 110 9 other files (5 malicious) 26->110 dropped 196 Tries to steal Mail credentials (via file / registry access) 26->196 198 Found many strings related to Crypto-Wallets (likely being stolen) 26->198 212 3 other signatures 26->212 200 Contains functionality to inject code into remote processes 29->200 214 3 other signatures 29->214 37 RegAsm.exe 6 24 29->37         started        41 RegAsm.exe 29->41         started        202 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->202 216 4 other signatures 31->216 148 45.66.231.214, 49756, 9932 CMCSUS Germany 33->148 108 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 33->108 dropped 204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->204 206 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->206 208 Tries to harvest and steal browser information (history, passwords, etc) 33->208 43 cmd.exe 33->43         started        46 RegAsm.exe 33->46         started        48 Hkbsse.exe 33->48         started        50 conhost.exe 33->50         started        file10 signatures11 process12 dnsIp13 52 cmd.exe 35->52         started        55 conhost.exe 35->55         started        142 20.52.165.210, 39030, 49739 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->142 176 Installs new ROOT certificates 37->176 178 Found many strings related to Crypto-Wallets (likely being stolen) 37->178 180 Tries to steal Crypto Currency Wallets 37->180 182 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->182 184 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->184 116 C:\Users\user\AppData\Local\...\Beijing.pif, PE32 43->116 dropped 186 Drops PE files with a suspicious file extension 43->186 188 Uses schtasks.exe or at.exe to add and modify task schedules 43->188 57 Beijing.pif 43->57         started        60 conhost.exe 43->60         started        62 tasklist.exe 43->62         started        70 7 other processes 43->70 118 C:\Users\user\AppData\...\o6bIixeL3o.exe, PE32 46->118 dropped 120 C:\Users\user\AppData\...\3mhIzrp24A.exe, PE32 46->120 dropped 64 3mhIzrp24A.exe 46->64         started        66 o6bIixeL3o.exe 46->66         started        68 Conhost.exe 46->68         started        190 Multi AV Scanner detection for dropped file 48->190 file14 signatures15 process16 file17 164 Multi AV Scanner detection for dropped file 52->164 166 Machine Learning detection for dropped file 52->166 168 Writes to foreign memory regions 52->168 174 3 other signatures 52->174 72 AppLaunch.exe 52->72         started        75 AppLaunch.exe 52->75         started        112 C:\Users\user\AppData\Local\...\MindLynx.pif, PE32 57->112 dropped 114 C:\Users\user\AppData\Local\...\MindLynx.js, ASCII 57->114 dropped 170 Drops PE files with a suspicious file extension 57->170 77 cmd.exe 57->77         started        80 cmd.exe 57->80         started        172 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 64->172 82 conhost.exe 64->82         started        84 conhost.exe 66->84         started        signatures18 process19 file20 224 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 72->224 226 Injects a PE file into a foreign processes 72->226 86 AppLaunch.exe 72->86         started        90 conhost.exe 72->90         started        134 C:\Users\user\AppData\...\MindLynx.url, MS 77->134 dropped 92 conhost.exe 77->92         started        94 conhost.exe 80->94         started        96 schtasks.exe 80->96         started        signatures21 process22 dnsIp23 144 127.0.0.1 unknown unknown 86->144 218 Creates an undocumented autostart registry key 86->218 220 Creates multiple autostart registry keys 86->220 222 Creates an autostart registry key pointing to binary in C:\Windows 86->222 signatures24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-08-15 04:07:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4l6qwfgqk5pplfizdrsequ3qn6nqmknyquymzazmg3rebavm67q._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:stealc botnet:14082024 botnet:814fa botnet:a51500 botnet:buy tg @fatherofcarders botnet:default botnet:fed3aa botnet:livetraffic credential_access discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/240815-epmw5stepd/
Behaviour
Checks processor information in registry
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Looks for VMWare Tools registry key
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Lumma Stealer, LummaC
RedLine
RedLine payload
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.16
20.52.165.210:39030
http://185.215.113.17
45.66.231.214:9932
http://api.garageserviceoperation.com
185.215.113.67:21405
88.99.151.68:7200
https://complaintsipzzx.shop/api
https://writerospzm.shop/api
https://deallerospfosu.shop/api
https://bassizcellskz.shop/api
https://mennyudosirso.shop/api
https://languagedscie.shop/api
https://quialitsuzoxm.shop/api
https://tenntysjuxmz.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/25247924-3eb6-475d-b691-97c6bbb94de3
Unpacked files
SH256 hash:
bff214ff4ce3d3a0d73509e00bc9f84fa5a53e435443602626e9c2b3673dffce
MD5 hash:
7f3ef7f80db505acc1d0e17915b5920c
SHA1 hash:
9dcaa9a34b9d7e7e145c03f1cf363b8b7c3b7398
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/ad761e6f-cef5-4203-9139-029483a7a119/
SH256 hash:
2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf
MD5 hash:
df908a98e22ff86d79dfa9a05ed99101
SHA1 hash:
9d2240f0fa9e19c8bb895d9133080dc4de01916e
Link:
https://www.unpac.me/results/ad761e6f-cef5-4203-9139-029483a7a119/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2717e858a682/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 2717e858a682baf7aca8c8e322429b837cd8314dc42986641961b712041567bf

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067442/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments