MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540
SHA3-384 hash: 9a195cd2e3c16a3241c7c7f6be1acc04701e0c346d6ea1c64336e7c2f0a45a552e69234920b234e6b6a5791c6c7c3693
SHA1 hash: eff7b4a2cdb6adb40f68165c984787fdfbec452e
MD5 hash: 04174b4d66a59a2d30e28bcb3ad82d75
humanhash: yankee-monkey-arkansas-juliet
File name:04174b4d66a59a2d30e28bcb3ad82d75
Download: download sample
Signature Amadey
Create hunting rule
File size:372'736 bytes
First seen:2024-01-28 00:57:54 UTC
Last seen:2024-01-28 02:26:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:JdHFcXMkBWTifQeM9b37GVCPA+4Bcyhb5rXq+wSjpXbEeE5v5UYcEVggH7Ysrw+T:JdP
TLSH T10584E810AE0D9683F1593334C8ADE3732AB48DA1A8D1DA4B95D07C7B793D25B3C351EA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f08e9686dad89ac4 (5 x zgRAT, 4 x PureLogsStealer, 3 x Amadey)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540.exe
Verdict:
Malicious activity
Analysis date:
2024-01-28 00:58:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5b88e1cc-be7a-42d7-9471-d4674dc88b00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473219/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.1736.6766.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Creating a window
Searching for synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% directory
Delayed reading of the file
Launching the default Windows debugger (dwwin.exe)
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65b5a69a1125a8c8cb6d918a/reports/45903212-d7fb-4a4e-87e7-a08fd62ee287/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6650354-0f17-45dd-9b0b-9595633a02d2
Result
Threat name:
Amadey, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382193
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to prevent local Windows debugging
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1382193 Sample: Xep8cXF2aW.exe Startdate: 28/01/2024 Architecture: WINDOWS Score: 100 64 ytmodsupport.com 2->64 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 14 other signatures 2->84 10 Dctooux.exe 14 3 2->10         started        13 Xep8cXF2aW.exe 15 3 2->13         started        16 start.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 98 Drops PE files to the startup folder 10->98 100 Injects a PE file into a foreign processes 10->100 20 Dctooux.exe 15 10->20         started        68 185.196.10.146, 49729, 49730, 80 SIMPLECARRIERCH Switzerland 13->68 102 Contains functionality to inject code into remote processes 13->102 104 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->104 25 Xep8cXF2aW.exe 5 13->25         started        27 start.exe 16->27         started        29 Dctooux.exe 18->29         started        31 Dctooux.exe 18->31         started        33 Dctooux.exe 18->33         started        signatures6 process7 dnsIp8 66 185.196.10.34, 49731, 49732, 80 SIMPLECARRIERCH Switzerland 20->66 52 C:\Users\user\AppData\Local\...\pp[1].exe, PE32+ 20->52 dropped 54 C:\Users\user\...behaviorgraphTALaunchUpdate2.4[1].exe, PE32 20->54 dropped 88 Injects a PE file into a foreign processes 20->88 35 Dctooux.exe 20->35         started        38 Dctooux.exe 20->38         started        56 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 25->56 dropped 90 Creates an undocumented autostart registry key 25->90 file9 signatures10 process11 signatures12 86 Injects a PE file into a foreign processes 35->86 40 Dctooux.exe 35->40         started        44 Dctooux.exe 35->44         started        46 WerFault.exe 2 38->46         started        process13 file14 58 C:\Users\user\AppData\Roaming\install.exe, PE32 40->58 dropped 60 C:\Users\user\AppData\Roaming\...\start.exe, PE32 40->60 dropped 92 Writes to foreign memory regions 40->92 94 Allocates memory in foreign processes 40->94 96 Injects a PE file into a foreign processes 40->96 48 RegAsm.exe 40->48         started        signatures15 process16 dnsIp17 62 ytmodsupport.com 179.43.170.230 PLI-ASCH Panama 48->62 70 Query firmware table information (likely to detect VMs) 48->70 72 Contain functionality to detect virtual machines 48->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 48->74 76 Contains functionality to prevent local Windows debugging 48->76 signatures18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-01-28 00:58:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzokxuhpdisslbewvjfdfqfcgm4polpx3id3i5j656vqtawicvaa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:zgrat discovery evasion rat trojan
Link:
https://tria.ge/reports/240128-bbg7yshffn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops startup file
Executes dropped EXE
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Detect ZGRat V1
ZGRat
Malware Config
C2 Extraction:
http://185.196.10.34
Unpacked files
SH256 hash:
2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540
MD5 hash:
04174b4d66a59a2d30e28bcb3ad82d75
SHA1 hash:
eff7b4a2cdb6adb40f68165c984787fdfbec452e
Link:
https://www.unpac.me/results/d854f2ff-0857-4de2-9232-fe24bec0f731/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Amadey
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 2e5cabd0ef1a25258496aa4a32c0a23338f72df7da07b4753eefab0982c81540

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2752447/
Cape
Cape
https://www.capesandbox.com/analysis/473219/

Comments


Avatar
zbet commented on 2024-01-28 00:57:55 UTC

url : hxxp://185.196.10.146/Imteahzda.exe