MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ec13bb87dddbdc8adac9585362d458bc49e1657f2f061db39163d530d530802. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ec13bb87dddbdc8adac9585362d458bc49e1657f2f061db39163d530d530802
SHA3-384 hash: 508c451bed6713e2bb5d9d65d6642899be8e180d6251267d9f4a910b63ad08b7aeb49da42bd854ccfc9ef1825cac0056
SHA1 hash: 5bd34718a5b83505474401063a469d696809c1ab
MD5 hash: 0af396d89197dc994ee7c05cd82c84fc
humanhash: river-shade-oklahoma-beryllium
File name:2ec13bb87dddbdc8adac9585362d458bc49e1657f2f06.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:7'977'984 bytes
First seen:2023-02-07 18:50:33 UTC
Last seen:2023-02-07 20:48:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 196608:+FmnP/F68J3FxrU93Eq3zPgSnbWOGGY7p:+c37RjqjPDbWhGY
Threatray 1'547 similar samples on MalwareBazaar
TLSH T1068601904502949B12BB9E3F54F67A475C0F2B5CFF8F5692E668A36B0426EE37C102CD
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://45.9.74.80/0bjdn2Z/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2ec13bb87dddbdc8adac9585362d458bc49e1657f2f06.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 18:52:51 UTC
Tags:
trojan amadey evasion stealer loader miner
Link:
https://app.any.run/tasks/c4d67311-9857-4ee4-9cd6-d343674e2efd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361551/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.9891.8992.21703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Sending a custom TCP request
Searching for the window
DNS request
Launching a process
Launching cmd.exe command interpreter
Creating a window
Sending an HTTP POST request
Delayed reading of the file
Sending an HTTP GET request
Adding an access-denied ACE
Running batch commands
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/63e29d98696b2d97257585c8/reports/94f2b79c-b712-4752-8bcb-c0dce661f293/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2ec13bb87dddbdc8adac9585362d458bc49e1657f2f061db39163d530d530802
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccbd7c0f-3952-4c77-84db-7f9ac478cb10
Result
Threat name:
Amadey, Fabookie, ManusCrypt
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1168107
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates processes via WMI
Detected VMProtect packer
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected ManusCrypt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800889 Sample: 2ec13bb87dddbdc8adac9585362... Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 150 Malicious sample detected (through community Yara rule) 2->150 152 Antivirus detection for URL or domain 2->152 154 Antivirus / Scanner detection for submitted sample 2->154 156 10 other signatures 2->156 11 2ec13bb87dddbdc8adac9585362d458bc49e1657f2f06.exe 6 2->11         started        14 rundll32.exe 2->14         started        16 cmd.exe 2->16         started        19 8 other processes 2->19 process3 file4 102 C:\Users\user\AppData\Local\Temp\pliu.exe, PE32 11->102 dropped 104 C:\Users\user\AppData\Local\...\llpb1133.exe, PE32+ 11->104 dropped 106 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 11->106 dropped 108 2 other malicious files 11->108 dropped 21 Player4.exe 3 11->21         started        25 llpb1133.exe 11->25         started        28 pliu.exe 2 11->28         started        30 XandETC.exe 3 11->30         started        32 rundll32.exe 14->32         started        146 Uses powercfg.exe to modify the power settings 16->146 148 Modifies power options to not sleep / hibernate 16->148 34 conhost.exe 16->34         started        38 5 other processes 16->38 36 conhost.exe 19->36         started        40 6 other processes 19->40 signatures5 process6 dnsIp7 98 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 21->98 dropped 158 Antivirus detection for dropped file 21->158 160 Multi AV Scanner detection for dropped file 21->160 162 Machine Learning detection for dropped file 21->162 164 Contains functionality to inject code into remote processes 21->164 42 mnolyk.exe 27 21->42         started        122 157.240.247.35 FACEBOOKUS United States 25->122 124 185.60.216.35 FACEBOOKUS Ireland 25->124 126 45.66.159.142 ENZUINC-US Russian Federation 25->126 166 Tries to detect virtualization through RDTSC time measurements 25->166 168 Creates processes via WMI 28->168 47 pliu.exe 28->47         started        49 conhost.exe 28->49         started        100 C:\Program Files100otepad\Chrome\updater.exe, PE32+ 30->100 dropped 170 Adds a directory exclusion to Windows Defender 30->170 172 Writes to foreign memory regions 32->172 174 Allocates memory in foreign processes 32->174 176 Creates a thread in another existing process (thread injection) 32->176 51 svchost.exe 32->51 injected 53 svchost.exe 32->53 injected 55 svchost.exe 32->55 injected file8 signatures9 process10 dnsIp11 128 45.9.74.80 FIRST-SERVER-EU-ASRU Russian Federation 42->128 130 8.8.8.8 GOOGLEUS United States 42->130 134 2 other IPs or domains 42->134 110 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 42->110 dropped 112 C:\Users\user\AppData\Local\...\random.exe, PE32 42->112 dropped 114 C:\Users\user\AppData\Local\...\pb1111.exe, PE32+ 42->114 dropped 118 3 other malicious files 42->118 dropped 200 Antivirus detection for dropped file 42->200 202 Multi AV Scanner detection for dropped file 42->202 204 Creates an undocumented autostart registry key 42->204 210 2 other signatures 42->210 57 rundll32.exe 42->57         started        59 random.exe 42->59         started        62 pb1111.exe 42->62         started        70 2 other processes 42->70 132 188.114.97.3 CLOUDFLARENETUS European Union 47->132 116 C:\Users\user\AppData\Local\Temp\db.dll, PE32 47->116 dropped 65 conhost.exe 47->65         started        206 Sets debug register (to hijack the execution of another thread) 51->206 208 Modifies the context of a thread in another process (thread injection) 51->208 67 svchost.exe 51->67         started        file12 signatures13 process14 dnsIp15 72 rundll32.exe 57->72         started        186 Multi AV Scanner detection for dropped file 59->186 188 Creates processes via WMI 59->188 76 random.exe 59->76         started        78 conhost.exe 59->78         started        136 157.240.201.35 FACEBOOKUS United States 62->136 138 157.240.253.35 FACEBOOKUS United States 62->138 190 Machine Learning detection for dropped file 62->190 140 208.95.112.1 TUT-ASUS United States 67->140 142 172.67.161.69 CLOUDFLARENETUS United States 67->142 144 34.142.181.181 ATGS-MMD-ASUS United States 67->144 94 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 67->94 dropped 96 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 67->96 dropped 192 Query firmware table information (likely to detect VMs) 67->192 194 Installs new ROOT certificates 67->194 196 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 67->196 198 Tries to harvest and steal browser information (history, passwords, etc) 67->198 80 conhost.exe 70->80         started        82 conhost.exe 70->82         started        84 cmd.exe 1 70->84         started        86 5 other processes 70->86 file16 signatures17 process18 dnsIp19 120 192.168.2.1 unknown unknown 72->120 178 System process connects to network (likely due to code injection or exploit) 72->178 180 Tries to steal Instant Messenger accounts or passwords 72->180 182 Tries to harvest and steal ftp login credentials 72->182 184 Tries to harvest and steal browser information (history, passwords, etc) 72->184 88 tar.exe 72->88         started        90 conhost.exe 76->90         started        signatures20 process21 process22 92 conhost.exe 88->92         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ec13bb87dddbdc8adac9585362d458bc49e1657f2f061db39163d530d530802/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 18:51:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3atxod53w64rlnmswctmlkfrpcj4fsx6lygdwzzcy6vgdktbaba._file
Verdict:
malicious
Similar samples:
1b9a01ec85d2d38b29105b8c03eb0221d1bfdd46addc258ed5006116d371318a
Amadey
2c18cc487d7d1078460dce7e68108cb99eab6cb9ee1955ca4df3b2376f0a0e8b
Amadey
2e09674fc46e09a14bcfc5e3078de72c91c17d6fd3aac5146677cbe94a784d24
Amadey
4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
Amadey
590e81a847fe5bf4bf4e23ce70b49fb27ec3048ffd8b02e360b757d26e2eac6c
Amadey
929afe073d4068f4269719a986b03cdd85b7cc1da969d7ac65e6b2f711e616c2
Amadey
ab597e47830049e2c4ff24a3b9c806d067bbd42250949d13a4255151858ae796
Amadey
b56d9fb1c1115ea938528713be7de446276c1829b65e15f116ff5837a71dc787
Amadey
ba36d04cdfbdd729450db17a6f0b8b953ca8b91aefb9d56a71e58864c8e0fb61
Amadey
e115bc4b1111389c8394d798d55a95c2181ac088fbea26c62645d3d82884dd54
Amadey
+ 1'537 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:xmrig evasion miner spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/230207-xhg2esge2t/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
VMProtect packed file
Downloads MZ/PE file
Stops running service(s)
XMRig Miner payload
Amadey
Modifies security service
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
45.9.74.80/0bjdn2Z/index.php
Unpacked files
SH256 hash:
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8
MD5 hash:
08240e71429b32855b418a4acf0e38ec
SHA1 hash:
b180ace2ea6815775d29785c985b576dc21b76b5
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/0fdeb9f6-c349-4a2a-95ed-a5c36188a0d5/
Parent samples :
2ec13bb87dddbdc8adac9585362d458bc49e1657f2f061db39163d530d530802
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8
ab54530ef0182440d2e1886665577792acb9805746a3f150e177ed93d79da71f
SH256 hash:
2ec13bb87dddbdc8adac9585362d458bc49e1657f2f061db39163d530d530802
MD5 hash:
0af396d89197dc994ee7c05cd82c84fc
SHA1 hash:
5bd34718a5b83505474401063a469d696809c1ab
Link:
https://www.unpac.me/results/0fdeb9f6-c349-4a2a-95ed-a5c36188a0d5/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ec13bb87ddd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ec13bb87dddbdc8adac9585362d458bc49e1657f2f061db39163d530d530802

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/361551/

Comments