MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 274f3f634099fc303b594c76743a296a478881fe29d2a0aa66afb18909d9f83f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 274f3f634099fc303b594c76743a296a478881fe29d2a0aa66afb18909d9f83f
SHA3-384 hash: 8e8b0a90990d3cb20a71cbc0a5653e614a7d8e502cee777f19e314f40746668b483065aeba6f4a3dff211713d206d9c7
SHA1 hash: 2ff3f87e9054e79242523dc55a0a32526701513e
MD5 hash: 07bb4ac965ff0962bcb0b86a2cf075de
humanhash: carolina-golf-failed-undress
File name:07bb4ac965ff0962bcb0b86a2cf075de
Download: download sample
Signature Amadey
Create hunting rule
File size:930'304 bytes
First seen:2023-08-24 00:13:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:wf30vvGvuuY8Vgj56mx/b+IMhigEn6quGc:wf30Gm78zmV/xuG
Threatray 1'222 similar samples on MalwareBazaar
TLSH T10915BC7A61B01227F4C190F8FFF45A976E64F5234A8139DEC25042AA0E47BBCF95835B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
07bb4ac965ff0962bcb0b86a2cf075de
Verdict:
Malicious activity
Analysis date:
2023-08-24 00:16:35 UTC
Tags:
amadey trojan kelihos loader fabookie stealer smoke miner
Link:
https://app.any.run/tasks/2f42b9d6-bc71-4890-8a2e-d816bfbb5281

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444373/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.25955.14377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Sending an HTTP GET request
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/274f3f634099fc303b594c76743a296a478881fe29d2a0aa66afb18909d9f83f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56da7d6e-a50a-4d68-9fa5-76688547102c
Result
Threat name:
Amadey, Fabookie, Glupteba, SmokeLoader,
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296264
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1296264 Sample: zQepx7goP0.exe Startdate: 24/08/2023 Architecture: WINDOWS Score: 100 164 Snort IDS alert for network traffic 2->164 166 Multi AV Scanner detection for domain / URL 2->166 168 Found malware configuration 2->168 170 18 other signatures 2->170 12 zQepx7goP0.exe 4 2->12         started        16 powershell.exe 2->16         started        18 yiueea.exe 2->18         started        20 3 other processes 2->20 process3 file4 130 C:\Users\user\AppData\...\latestplayer.exe, PE32 12->130 dropped 132 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 12->132 dropped 208 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->208 22 latestplayer.exe 3 12->22         started        26 aafg31.exe 14 12->26         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 122 C:\Users\user\AppData\Local\...\yiueea.exe, PE32 22->122 dropped 194 Antivirus detection for dropped file 22->194 196 Multi AV Scanner detection for dropped file 22->196 198 Machine Learning detection for dropped file 22->198 200 Contains functionality to inject code into remote processes 22->200 31 yiueea.exe 22 22->31         started        136 app.nnnaajjjgc.com 154.221.26.108, 49727, 49729, 49731 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 26->136 138 z.nnnaajjjgc.com 156.236.72.121, 443, 49725 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 26->138 140 2 other IPs or domains 26->140 124 C:\Users\...\584eb34cd9366fef7b97c28737c39f14, SQLite 26->124 dropped 202 Contains functionality to infect the boot sector 26->202 204 Contains functionality to steal Chrome passwords or cookies 26->204 206 Tries to harvest and steal browser information (history, passwords, etc) 26->206 file8 signatures9 process10 dnsIp11 144 79.137.192.18, 49726, 49728, 49730 PSKSET-ASRU Russian Federation 31->144 146 app.nnnaajjjgc.com 31->146 112 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 31->112 dropped 114 C:\Users\user\AppData\Local\...\datacas.exe, PE32 31->114 dropped 116 C:\Users\user\AppData\...\repairtool.exe, PE32 31->116 dropped 118 3 other malicious files 31->118 dropped 156 Antivirus detection for dropped file 31->156 158 Multi AV Scanner detection for dropped file 31->158 160 Creates an undocumented autostart registry key 31->160 162 2 other signatures 31->162 36 repairtool.exe 31->36         started        39 datacas.exe 31->39         started        41 latestX.exe 31->41         started        44 2 other processes 31->44 file12 signatures13 process14 file15 172 Antivirus detection for dropped file 36->172 174 Multi AV Scanner detection for dropped file 36->174 176 Detected unpacking (changes PE section rights) 36->176 178 Injects a PE file into a foreign processes 36->178 46 repairtool.exe 36->46         started        180 Detected unpacking (overwrites its own PE header) 39->180 182 Machine Learning detection for dropped file 39->182 184 Modifies the windows firewall 39->184 186 Drops PE files with benign system names 39->186 49 datacas.exe 39->49         started        52 powershell.exe 39->52         started        126 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 41->126 dropped 128 C:\Windows\System32\drivers\etc\hosts, ASCII 41->128 dropped 188 Suspicious powershell command line found 41->188 190 Modifies the hosts file 41->190 192 Adds a directory exclusion to Windows Defender 41->192 54 conhost.exe 44->54         started        56 conhost.exe 44->56         started        58 cmd.exe 1 44->58         started        60 5 other processes 44->60 signatures16 process17 file18 218 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->218 220 Maps a DLL or memory area into another process 46->220 222 Checks if the current machine is a virtual machine (disk enumeration) 46->222 224 Creates a thread in another existing process (thread injection) 46->224 62 explorer.exe 46->62 injected 120 C:\Windows\rss\csrss.exe, PE32 49->120 dropped 226 Creates an autostart registry key pointing to binary in C:\Windows 49->226 67 cmd.exe 49->67         started        69 powershell.exe 49->69         started        71 powershell.exe 49->71         started        73 powershell.exe 49->73         started        75 conhost.exe 52->75         started        signatures19 process20 dnsIp21 142 host-host-file8.com 194.169.175.250, 49872, 80 CLOUDCOMPUTINGDE Germany 62->142 134 C:\Users\user\AppData\Roaming\ejjfuws, PE32 62->134 dropped 148 System process connects to network (likely due to code injection or exploit) 62->148 150 Benign windows process drops PE files 62->150 152 Suspicious powershell command line found 62->152 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 62->154 77 cmd.exe 62->77         started        80 cmd.exe 62->80         started        82 powershell.exe 62->82         started        84 netsh.exe 67->84         started        86 conhost.exe 67->86         started        88 conhost.exe 69->88         started        90 conhost.exe 71->90         started        92 conhost.exe 73->92         started        file22 signatures23 process24 signatures25 210 Uses powercfg.exe to modify the power settings 77->210 212 Uses netsh to modify the Windows network and firewall settings 77->212 214 Modifies power options to not sleep / hibernate 77->214 94 conhost.exe 77->94         started        96 sc.exe 77->96         started        98 sc.exe 77->98         started        108 3 other processes 77->108 100 conhost.exe 80->100         started        102 powercfg.exe 80->102         started        104 powercfg.exe 80->104         started        110 2 other processes 80->110 106 conhost.exe 82->106         started        216 Creates files in the system32 config directory 84->216 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/274f3f634099fc303b594c76743a296a478881fe29d2a0aa66afb18909d9f83f/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 00:57:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5ht6y2ath6dao2zjr3hiorjnjdyrap6fhjkbktgv6yyscoz7a7q._file
Verdict:
malicious
Similar samples:
0bc3689575acffde20abb2ff8db97b9698b07fc0e2f64a04ef10dea26fe64d87
Amadey
3995ed61d4b3901bfacb5a8d36500664c1145c6287f8eba5f0077ef1b780355c
Amadey
6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
Amadey
84c286184b95e0b070ef9b5dba2f347f0f009da781a5f75182629ee8286ac3f7
Amadey
8a2e061b3b38dff83f62982a6b0087e5c4ea1c47192bf0ac2f8f67397636b164
Amadey
bb1aa29dca7c55add0bd5e53c735645b5cd0d5ab5105fd412026fa2c69e06191
Amadey
c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485
Amadey
d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
Amadey
ee1e789a40e3cc8ff607726cbe0a8b72b86a51e933787a7074ac6c0b58bc59c7
Amadey
+ 1'212 additional samples on MalwareBazaar
Result
Malware family:
fabookie
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie spyware stealer trojan
Link:
https://tria.ge/reports/230824-ajbjpsgg57/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Amadey
Detect Fabookie payload
Fabookie
Malware Config
C2 Extraction:
79.137.192.18/9bDc8sQ/index.php
Unpacked files
SH256 hash:
274f3f634099fc303b594c76743a296a478881fe29d2a0aa66afb18909d9f83f
MD5 hash:
07bb4ac965ff0962bcb0b86a2cf075de
SHA1 hash:
2ff3f87e9054e79242523dc55a0a32526701513e
Link:
https://www.unpac.me/results/7e8e06a8-d1cc-4f1d-8d4d-fb24cea17236/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/274f3f634099/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/274f3f634099fc303b594c76743a296a478881fe29d2a0aa66afb18909d9f83f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 274f3f634099fc303b594c76743a296a478881fe29d2a0aa66afb18909d9f83f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2706551/
Cape
Cape
https://www.capesandbox.com/analysis/444373/

Comments


Avatar
zbet commented on 2023-08-24 00:13:39 UTC

url : hxxp://79.137.192.18/wowo2.exe