MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d
SHA3-384 hash: 7e899a86631d49d7f0a057623857a61627f584c92c6769804bc039a3924e796a38229af230d1bdc85405de405eddbb2f
SHA1 hash: 36439e162309f9e1416b8bb82a2aa3d7c8c626c0
MD5 hash: 9446ccda35c40cfbad670710e452611c
humanhash: black-robin-beryllium-uncle
File name:9446ccda35c40cfbad670710e452611c.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:491'008 bytes
First seen:2023-05-06 18:35:20 UTC
Last seen:2023-05-13 22:45:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:aMrCy90Otl0mALsc07+kEhFsEOqf/itNf8emvxWBfGE:syhl7WK69hTOg9lv2+E
Threatray 179 similar samples on MalwareBazaar
TLSH T12AA40253ABDC9033D8B22B7058F702D30B357EB29974926B2795985E4CB26C47931B3B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
217.196.96.101:4132

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9446ccda35c40cfbad670710e452611c.exe
Verdict:
Malicious activity
Analysis date:
2023-05-06 18:37:35 UTC
Tags:
rat redline trojan amadey loader
Link:
https://app.any.run/tasks/9935fe3e-a55a-48a7-9ccb-a71cd4aa9d1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387147/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.RedLineNET.6.30883.12673.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching a service
Creating a window
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82833/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll anti-vm CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64569e12c20bb1c7d0f29a4f/reports/d8a02c90-e932-4398-8ad6-4135b8f629e0/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1310591
Link:
https://www.hybrid-analysis.com/sample/2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Deyma
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed6ced38-8a2e-4145-accd-dbba7dbe56ce
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227547
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 860511 Sample: VijAvx78hE.exe Startdate: 06/05/2023 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 11 other signatures 2->40 7 VijAvx78hE.exe 1 4 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 file4 24 C:\Users\user\AppData\Local\...\x5900393.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\i7699165.exe, PE32 7->26 dropped 14 x5900393.exe 1 4 7->14         started        process5 file6 28 C:\Users\user\AppData\Local\...\h6942749.exe, PE32 14->28 dropped 30 C:\Users\user\AppData\Local\...\g2739441.exe, PE32 14->30 dropped 54 Antivirus detection for dropped file 14->54 56 Multi AV Scanner detection for dropped file 14->56 58 Machine Learning detection for dropped file 14->58 18 g2739441.exe 5 14->18         started        22 h6942749.exe 9 1 14->22         started        signatures7 process8 dnsIp9 32 217.196.96.101, 4132, 49699 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 18->32 42 Antivirus detection for dropped file 18->42 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->44 46 Machine Learning detection for dropped file 18->46 52 3 other signatures 18->52 48 Disable Windows Defender notifications (registry) 22->48 50 Disable Windows Defender real time protection (registry) 22->50 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-06 18:36:06 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwwn6iln6vc3jviv6qekf2cxtihskfmrzkhf3irigx6sivuc5aoq._file
Verdict:
malicious
Similar samples:
1503129c1499aee0902cfcfa2d78d909e0f5117d9f7091134309eb05564a2e8f
Amadey
42f43904f6b1ebfb34d57a7522ee30e61140e374ebf098835e65afc2be10ee5e
Amadey
47905a192164ebc97d304e93c68649617afefccca619ebd49739a852b0c8821d
Amadey
71736b82afe976a960c2a1b2fb47d15dde9724fa57d46b361526c8d7e8df115c
Amadey
8dad64d50dae279010dd6d487290efd3049f5f5f3d268ba94f80311ec943e50b
Amadey
a0ff39d79052423460d782d27fd57d2998700e9c2a7aad4bc9669f5b9a736cfc
Amadey
a134c27ea8c8496f0ccb2735216a50c34f6a851adc886833cc210e3d3fe0f710
Amadey
d43e533bb11aadc204eb283ce804d56133de67ebd443c80fb375e79983766337
Amadey
d5f12d23ec77b03613ee51d46c0ed53e22261d794683c12c5258a1f0809d9e20
Amadey
ef236f863f1b753ae043e1d863cac676c169ebba141f568f0d9875c458a37bf0
Amadey
+ 169 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:dariy discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230506-w8wf3aac47/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
217.196.96.101:4132
Unpacked files
SH256 hash:
abf05389ce48902658f1b33abc1c8bce970be92190bbb73f14e0647b36f88b47
MD5 hash:
2f43dd6938196d41ecc47210b16539d6
SHA1 hash:
295149e954859da5f099a14eead5c8832ae8776d
Link:
https://www.unpac.me/results/aab076fb-3ca9-4954-87c6-efe7d11db836/
SH256 hash:
df830604629890f6121201010fb9521eb23e49757004673bde2efe1844b9458a
MD5 hash:
8bf3a1705c7581adb005cc524ffeec1d
SHA1 hash:
69b960b6abd17c40d6306a409979556739ee95e6
Link:
https://www.unpac.me/results/aab076fb-3ca9-4954-87c6-efe7d11db836/
SH256 hash:
29b99712f82e55947802c67d87397dbe56d1af3e4c50738593e0970cb324722d
MD5 hash:
e1aabbf115328451aea72a988d11a2d9
SHA1 hash:
53c50b974f74dab0e66dd0cf3fa340f7e0e2ce80
Link:
https://www.unpac.me/results/aab076fb-3ca9-4954-87c6-efe7d11db836/
SH256 hash:
6ce70dad4586387acf6738fe454a2402420bc3c9077850c016d78ba48b40b93d
MD5 hash:
b6719af24caa8b5fea8ee6fc8df2ff57
SHA1 hash:
10938fcd4c7e5abf8bbbe0fb1c2f01a89fabd654
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/aab076fb-3ca9-4954-87c6-efe7d11db836/
Parent samples :
f8602cbbd833ac510fe4b748ef3e63acbc9b865891b5ada57c3a7867bf50b0cc
743e18d9ceeaf261e72a9ae93c4f67cc29c29471ee88691cda46722860f6a78b
d39906b0f38e9624a428564d4c292e900876e31feb6b0e2ab72cf974a9b06c62
1a34b485f0f8fdd20585189cf79c3ccb3adacc4eb130310c9bb61500b07a445e
45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81
cc68ef03582e4246cc775a592b4b30964ca661f939a49327484049a90af9af9c
4dff4034824dc5b27d3e621b6599f38f0fa606c9009e0c9295320bd9626dbd37
f97893e3fe80a4f0c8e3f4adb678e5adface7b1e759594904eb312d86ff274b4
b5b7305098fb082264c50e7d261bf26fc4fbe22887e9ea9dc36195eac9526802
13114608edf37238790c8116391da6bcec9eaef4a0b250d8848b349d4de9b783
32ea7b735163ddc910bcf4e6664216ab3511107f99088b3cb45f85f9ee8f7d03
ffd76e2798b872574c43d218d8e5ed3448fe206b82761f118d45f3c59a8ad9f0
36969505195071d1ce9e8410121c31e34061ad58426099bf3032617cf48483ef
1aee6c0eab0dad6e1407740ea59420c579843d2a437e7b8c26a6ac3c3ca405e9
b89975bbf0bcfba5d4da5d79548f9b9b24285e7566566e697c6e28b9a1ab2801
ff586b0be9d8fb8a73229ebef0a36e912c6492f0e8baa8d90769768ef4582097
bb63ad3aa8ee26e1eb7f61ecf207d325401efe438bb9c4def88397250becd90f
341a79721dd80587132f77849d0881aa2ec040977cbe28390b36af78d9ee6ba1
372e1f000ad19a9cdb70570968e8bc0380c5702359d55267cae2f77e064fb8d0
55ffcf50f1358e666d217bedc3b8da0b14eeaefa265c250304e6465dfd5c3b9a
afd351cb15e847328ea11096d2e9e766461578f56d021cea9797c24ced0b82a4
aa2c3b9a0038db69c08eee03788e504c5a5301480e905b25ab1fad678a227f42
cb2dc56722ff80bdda616155cfed7272c0471f00f3037ae3940f09319c730792
5d20c911a61ca2afc8f3cba61d942e3d45a563626d87742e1b30c13519f61b33
cde7d82a50a5aa94195e2d0031d323cb0bd03f693b833a78a8fe5ff118c3fc65
12c901317f01b10174d15fe5b244719ecd016bc5b841bb39470752a7b3a0b09d
d40d9babe9bf3b522990abaaa65d85207929615f89d739444dd20696d91d5d08
759666acbb6b96f63d27afe0d54f84590e26bbd78e33af69ff72f41e49c47043
2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d
11581748c5ef29c021f7c7310ed13ea6b835b15daa069134f37f62899e8c1ecf
118c0fb74ad90526584d396a89fd748f84c1d78ff78591d62af4efd612b9fb4e
25ca34124202284d4d9a0a3630c379cb9ad366db01ebe0b1d7667c738824f5d1
98652f67dbb3a65b4e7ece7d72060ebc4aeb390748b19854d170ce995a12ec92
60cdebef33d48f93cf50f7e7b10d422d83a37d1089f39608087b7b06c2fd7510
d42b53d60029f149073170d929cc22779e291815b35b7088b419431761b3adaf
85679ee9cb599e13b6aedfa5ebff97e8743e91df5186c0e87efb3e0e44a73ab5
50c58a3f1be538a8b55a8ff669d0d1f95756a16e25a2e5850d7a5934cd5706d2
44ab913e6708ebdb117d4d0608fd14c7a3b5280db5425b0f4e4d3bdad8654f55
6dade75a4f43a5692c85263f08051b595f821fbf844eb71fc0efeb065526036d
ab55bcdfa1ed26570e4b5376d78e091e5419625ae5bd94c4bb516826ec7b5a89
6cd1ad365accfd8b32628c1223c49997eca41dcd25a63fc8a0600dcc980d0722
5d32e92dcd62c91524aa8a86ac85620bf9b6308b56c5c3e2a20599664fcd70ba
8e81011b7f0c98519417ddc3219b4f2a861788c916a8c9432565c3a8d38d4c53
b237a20dd5d6d51b4a62fc3d0097cf5ad4176ce957de884b200863f3e1e3e8b2
868d21c6771a072be11ed95a3ea83e4db4b58d9d83ebf365afbc53b5d9994bff
21ac43b45a8b4ec019fa3567178dc33d00035db0d4c5e55c796200668ac3f9ea
30841adf2755eac3ce3f6f00cb586466ee303f6ad6424cf82bd73217234fe845
96dfd6a34a66443699a8a889eeef4d81e6af42ee659c67928b3b716f55d27620
beedcfd6c00bf78cf0b20d54119dbb57d28a5c216743b4286c7596c69b7bd0d0
3714fa81b3666898abee2113279387a49f877759051116b68aa9c5f0315175e3
a38ee2750085cd494ac62caa19442b9eee35ad49c341d8dfd071cf2b635f4b42
b1895ff6323dad953e81dc8352066c809d9a8a336f297f39fbae61ee56e4f1a9
1d2863c00ad2486e183f7acd9f88dd36ea404d2479ad77b7364f2ed3523ba4c3
2217c772d745894e8c2ec9fb8feadf525bc3cf0704b1b7a1b2042cf30451acc4
08acabd3d1e9da7fa9fffd9ca89518f9570571b100eb106394df94ad1a30154c
7eb7de67ab5fb01dde85fa99ab91b71a11e1de29e83feb207d50340bfb57c9a1
42230ae02ccf8f6754ae097e046a2c74f1b55d75f6a909944f41ab7660f833c0
b9bc2bf613ae62071eda092d64f0f719d7f377ec059c6b5de87a7aa20a6309fb
f686f974db928e85279098e0c0ef7f4459304da9b3ecb7381f3d5d7d6bbae4d6
274ddb56b7eaecc9484be72db2f4640e56b49e47489bcdf58eec65ae9070fd84
bd6603f39e30e79521a170be86bd97be3361c937160f109c20bc481e17af8d35
e44c4cf50f9e6bd96e7e535025dc095bfcbe3f9df9697cf4221d5be7fe1517da
4f0ab1e8866b96101e5c27520c520f384532a078ef0dfc9c96a54a4623903652
c5e543f209c71de03c3fd59f065ced4f40719dabbaef2fb5855bb251aafe26a2
d45e3d542a910a59f854673de93b485dc18f6c8fa0b505691bdb2ca0caaa2a8b
90bb4c682e5f0ebdb5626655a3e95a16a6ccf2b05cc4167964f98b0099f9bcf2
e810e42176869e987b747411d29a8071fd18db65de336b5f9f29be6b85c3bb21
a2b3d06d9dc9c1ed4dd58bd8c867c1c27e877e07d199f8977f7bca46e6561c19
d1867294a81b3772ad1307eac10b78eceecf28210aeaeb7d524efca6515f0f3f
612ece4f1edfa547cb2c224d9018245e3d4407ee587e00c648e80358e0349493
efb1bd2291e35da7f22a7fe0345bef2c04d3fe3fcc73bc448dda00dc4e9bad8f
651c9fb71952bd29c53b3bde439bc7f0538241608c1e6ed3a7f96fe063f41bbb
b00f54f3033c071fa5844a8afad3623a2ad086a0a8fb4efa51dc65f6bc0818ae
d5f14b56cd42d5ef42a59c6b1140de0fd19c4f53e6bab07979b941acd30a11e0
2d22008c64c85e23e6436e2ca951ccc52305835949c90f8b952446969bd6e75c
bb7479d1e0689a68a0e9cb3341d22e625dfba03a436a9306a6e4bfe47eca0638
04e10c4821f3e6a5e13e60b1281623d095802c8c295a2a4bfe9de4b175881209
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
fda782d36cbd967d0c3f037110e2419d4676af0a089648fb8c6f8656e97fdb83
f984811ca20f0022a21840ccd29a68b8a39d44569b4ecdb9634405e4f404af57
0f91f82218d734d2f86b6a1fa0b6c8743e031caf1ce6481e138201309eaf224f
e6270068394194d400ccb6422ccaa72da89179294525d6aa0c615bd1519d685d
127331248be3658c2f1156be9b8df2462ae511a94f73d3251f76ff294424b2cb
8c6d489d8ecdd838af163fa9d7dca54122213cb7344e14496966c69e707f556c
7026eacc9c822fe689ae74f267509c2cf2f0410814b16666e57ef3f274e570cf
e97c547cced7e272f3695066bf3086013be74e24a21bf7bbb9302982edf255ce
89a46ed5a9c6783ec3ddf5d7bd47c7330a8429e4ff46b317b93ffe46eed9861d
6decc03ddfab1b1856ea69c8367a7c3d667b7a83d7f0f19d9c8131dcc7064ef3
fc6d4bf3214b6386e4bc7c46ecbea0eee92ef4d57f420b6e87633cbf4c7d73ec
e34cad99c2ebf1570bd8465bb4d137ef93f8c83befa03413bfa0168a2d7cfc3f
d3daa7b6a8b032dd2d3318c393e5c465c984c14201668e2d396870f847181376
c06a652f1fe956bf1c83d0bdd807b767a54204a3c42b5e0b9ac70aef7cfec181
e20059c975e3b3ca0d2bdc906ce4608aed80d4a938667b83fc97990fd0bf5c73
fe616b2c98d4cfed8780c24c4c9c705274846cfb86c6e7f4a1e5c9b1fa03b381
SH256 hash:
2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d
MD5 hash:
9446ccda35c40cfbad670710e452611c
SHA1 hash:
36439e162309f9e1416b8bb82a2aa3d7c8c626c0
Link:
https://www.unpac.me/results/aab076fb-3ca9-4954-87c6-efe7d11db836/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2dacdf216df5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 2dacdf216df545b4d515f408a2e8579a0f251591ca8e5da22835fd245682e81d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2623602/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387147/

Comments