MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a03f9dfaa3f1f2d8f17c4dbb46723d77439e6f3eeae78f1597ce78de8ade90a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a03f9dfaa3f1f2d8f17c4dbb46723d77439e6f3eeae78f1597ce78de8ade90a
SHA3-384 hash: fc87d4b22e611a48f12460e3e6620cf53fdbf81cf7000560ff6e73092c311aaeea8edbb5a2a3f57bbc775c85260b78e2
SHA1 hash: 9a07533a8942ddb436c5348da445b5aa1187cbcc
MD5 hash: 74f5c7b65aa17fa191f8611ed1a156e6
humanhash: oscar-nuts-monkey-utah
File name:SecuriteInfo.com.Win32.PWSX-gen.18465.17543
Download: download sample
Signature Amadey
Create hunting rule
File size:2'639'360 bytes
First seen:2024-02-05 03:22:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0980a5bdf7b225ee6a859c0ebee6a4b5 (4 x Amadey, 2 x RedLineStealer, 1 x LummaStealer)
ssdeep 49152:4W6VJ6z5a3VAuEJ5wKAcs4dMnlov2TfQVXAcT/LVn1:P6VYrzvbdMKv2T4VXAcTxn
TLSH T10AC533013037707CC84B283E4B5D2FBF8DD6A989B23B4F3769611F4A99AD6487750DA2
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474557/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18465.17543.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
enigma lolbin packed packed shell32
Link:
https://www.filescan.io/uploads/65c05497a858ab3d2109fda3/reports/ce38daa2-125c-45af-9515-b4b87a44db83/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2a03f9dfaa3f1f2d8f17c4dbb46723d77439e6f3eeae78f1597ce78de8ade90a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f006a291-0d79-4c42-83e7-55887ac0fd99
Result
Threat name:
LummaC, Amadey, PureLog Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386503
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to check for running processes (XOR)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1386503 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 05/02/2024 Architecture: WINDOWS Score: 100 167 Multi AV Scanner detection for domain / URL 2->167 169 Found malware configuration 2->169 171 Malicious sample detected (through community Yara rule) 2->171 173 21 other signatures 2->173 9 explorgu.exe 2 27 2->9         started        14 MPGPH131.exe 2->14         started        16 MPGPH131.exe 2->16         started        18 8 other processes 2->18 process3 dnsIp4 143 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 9->143 145 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 9->145 147 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 9->147 109 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 9->109 dropped 111 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 9->111 dropped 113 C:\Users\user\AppData\Local\...\ladas.exe, PE32 9->113 dropped 121 7 other malicious files 9->121 dropped 221 Multi AV Scanner detection for dropped file 9->221 223 Detected unpacking (changes PE section rights) 9->223 225 Creates multiple autostart registry keys 9->225 227 Contains functionality to inject code into remote processes 9->227 20 plaza.exe 9->20         started        25 ladas.exe 9->25         started        27 rundll32.exe 9->27         started        37 2 other processes 9->37 229 Tries to steal Mail credentials (via file / registry access) 14->229 231 Machine Learning detection for dropped file 14->231 233 Found many strings related to Crypto-Wallets (likely being stolen) 14->233 235 Tries to harvest and steal browser information (history, passwords, etc) 16->235 237 Hides threads from debuggers 16->237 149 18.160.60.35 MIT-GATEWAYSUS United States 18->149 151 142.250.105.84 GOOGLEUS United States 18->151 153 19 other IPs or domains 18->153 115 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 18->115 dropped 117 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 18->117 dropped 119 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 18->119 dropped 123 2 other malicious files 18->123 dropped 29 msedge.exe 18->29         started        31 firefox.exe 18->31         started        33 msedge.exe 18->33         started        35 msedge.exe 18->35         started        file5 signatures6 process7 dnsIp8 125 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->125 127 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 20->127 93 C:\Users\user\...\zArg0W7MskkmDabi1xa4.exe, PE32 20->93 dropped 95 C:\Users\user\...\ZdkWEzp2Crw_oq5PEc0j.exe, PE32 20->95 dropped 97 C:\Users\user\...\9E9datY17RS9WScGzvSc.exe, PE32 20->97 dropped 105 8 other malicious files 20->105 dropped 175 Multi AV Scanner detection for dropped file 20->175 177 Detected unpacking (changes PE section rights) 20->177 179 Contains functionality to check for running processes (XOR) 20->179 195 6 other signatures 20->195 39 9E9datY17RS9WScGzvSc.exe 20->39         started        42 ZdkWEzp2Crw_oq5PEc0j.exe 20->42         started        44 1XDBsOsf5fD_KPAaSF6Z.exe 20->44         started        55 2 other processes 20->55 99 C:\Users\user\...\cvqi1nKydDXZPXe5MwHQ.exe, PE32 25->99 dropped 101 C:\Users\user\...\ONicEoP0Cv_ueQEjK1Wb.exe, PE32 25->101 dropped 103 C:\Users\user\...\MW4Cx3U_BC6E10pX80Tf.exe, PE32 25->103 dropped 107 6 other malicious files 25->107 dropped 181 Binary is likely a compiled AutoIt script file 25->181 183 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->183 185 Tries to steal Mail credentials (via file / registry access) 25->185 197 4 other signatures 25->197 46 ONicEoP0Cv_ueQEjK1Wb.exe 25->46         started        48 cvqi1nKydDXZPXe5MwHQ.exe 25->48         started        50 rundll32.exe 25 27->50         started        129 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->129 131 13.107.213.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->131 135 31 other IPs or domains 29->135 133 34.107.221.82 GOOGLEUS United States 31->133 187 System process connects to network (likely due to code injection or exploit) 37->187 189 Writes to foreign memory regions 37->189 191 Allocates memory in foreign processes 37->191 193 Injects a PE file into a foreign processes 37->193 52 RegAsm.exe 37->52         started        file9 signatures10 process11 dnsIp12 199 Detected unpacking (changes PE section rights) 39->199 201 Detected unpacking (overwrites its own PE header) 39->201 203 Modifies windows update settings 39->203 217 3 other signatures 39->217 205 Multi AV Scanner detection for dropped file 42->205 207 Hides threads from debuggers 42->207 209 Binary is likely a compiled AutoIt script file 44->209 57 chrome.exe 44->57         started        60 chrome.exe 44->60         started        62 chrome.exe 44->62         started        74 9 other processes 44->74 211 Tries to steal Instant Messenger accounts or passwords 50->211 213 Uses netsh to modify the Windows network and firewall settings 50->213 215 Tries to harvest and steal ftp login credentials 50->215 219 2 other signatures 50->219 64 powershell.exe 50->64         started        68 netsh.exe 50->68         started        137 104.21.47.178 CLOUDFLARENETUS United States 52->137 139 104.21.58.31 CLOUDFLARENETUS United States 52->139 141 3 other IPs or domains 52->141 70 conhost.exe 55->70         started        72 conhost.exe 55->72         started        signatures13 process14 dnsIp15 155 192.168.2.4 unknown unknown 57->155 157 239.255.255.250 unknown Reserved 57->157 76 chrome.exe 57->76         started        79 chrome.exe 60->79         started        81 chrome.exe 62->81         started        91 C:\Users\user\...\246122658369_Desktop.zip, Zip 64->91 dropped 165 Found many strings related to Crypto-Wallets (likely being stolen) 64->165 83 conhost.exe 64->83         started        85 conhost.exe 68->85         started        87 msedge.exe 74->87         started        89 msedge.exe 74->89         started        file16 signatures17 process18 dnsIp19 159 142.250.105.105 GOOGLEUS United States 76->159 161 142.250.105.94 GOOGLEUS United States 76->161 163 29 other IPs or domains 76->163
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a03f9dfaa3f1f2d8f17c4dbb46723d77439e6f3eeae78f1597ce78de8ade90a/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 03:23:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fib7tx5kh4ps3dyxytn3izzd252dtzxt52xhr4kzptty32fn5efa._file
Verdict:
unknown
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:risepro stealer trojan
Link:
https://tria.ge/reports/240205-dxf8wshcf5/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
.NET Reactor proctector
Executes dropped EXE
Downloads MZ/PE file
Amadey
RisePro
Malware Config
C2 Extraction:
http://185.215.113.32
65.109.90.47:50500
193.233.132.62:50500
Unpacked files
SH256 hash:
2a03f9dfaa3f1f2d8f17c4dbb46723d77439e6f3eeae78f1597ce78de8ade90a
MD5 hash:
74f5c7b65aa17fa191f8611ed1a156e6
SHA1 hash:
9a07533a8942ddb436c5348da445b5aa1187cbcc
Link:
https://www.unpac.me/results/1ace164b-d9a6-4a32-aabb-b49c1edf554e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a03f9dfaa3f1f2d8f17c4dbb46723d77439e6f3eeae78f1597ce78de8ade90a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474557/

Comments