MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7
SHA3-384 hash: 434f5903d918e52def712995f7875b7cc32a5a50e8c26f9e3423fd80b609453e63dcc63ee9cf51b2798e182312b4d8d9
SHA1 hash: aa06e15c910dfd1ba642ac78a7957972afa855a8
MD5 hash: 5b5e94c98e5ac70ad03a0fb91a6c2e71
humanhash: tennis-pasta-shade-one
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:133'632 bytes
First seen:2023-11-08 21:18:54 UTC
Last seen:2023-11-08 22:20:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:j+cjivepKQreOccbC5Chdw42pIqTINv18:CcWQre9cbYCB2pIqTW
Threatray 9 similar samples on MalwareBazaar
TLSH T133D3CF515DA98653E98E873D9C3D0EA007BEA0346731D20CBE88A56BA4D73DE8F8C751
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://194.49.94.67/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.1028.21671.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for synchronization primitives
Searching for the window
Running batch commands
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Blocking the User Account Control
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/654bfb48993fbf888b6af573/reports/61753444-9f49-4a49-ba7e-2bd64e1cfdc9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4f4b79c0-5a92-4bb4-a5e3-daefa332b198
Result
Threat name:
CryptOne, Vidar, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1339364
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1339364 Sample: file.exe Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 135 yip.su 2->135 137 t.me 2->137 139 6 other IPs or domains 2->139 159 Snort IDS alert for network traffic 2->159 161 Found malware configuration 2->161 163 Malicious sample detected (through community Yara rule) 2->163 165 21 other signatures 2->165 13 file.exe 2 4 2->13         started        16 cmd.exe 2->16         started        18 cmd.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 signatures5 199 Adds a directory exclusion to Windows Defender 13->199 201 Disables UAC (registry) 13->201 22 CasPol.exe 15 185 13->22         started        27 powershell.exe 21 13->27         started        29 G88YF2OSjtZnQWzEwaCkrs6E.exe 16->29         started        31 conhost.exe 16->31         started        33 KGlFRxRohY2ZwphtjdiAroHq.exe 18->33         started        35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        39 conhost.exe 20->39         started        process6 dnsIp7 141 85.209.11.204, 49706, 49712, 49715 SYNGB Russian Federation 22->141 143 gobo11fc.top 89.191.234.21, 49708, 49711, 49720 MIRHOSTINGRU Russian Federation 22->143 145 4 other IPs or domains 22->145 95 C:\Users\...\zJwsl8PKnUMeehzQUIIzVyI7.exe, PE32 22->95 dropped 97 C:\Users\...\x4CL8qOv6VORYdv0qVe7r5WF.exe, PE32 22->97 dropped 99 C:\Users\...\osdU12AVE1Ze2BZstmSEZuc4.exe, PE32 22->99 dropped 101 142 other malicious files 22->101 dropped 167 Drops script or batch files to the startup folder 22->167 169 Creates HTML files with .exe extension (expired dropper behavior) 22->169 41 5oVfNoLg849oo7W5gyqyshO2.exe 37 22->41         started        46 8mBRfoLYC4bdJlKUBBNw7kY8.exe 22->46         started        48 iHtw8AirPPkTco5UrXdhuJBC.exe 22->48         started        54 11 other processes 22->54 50 conhost.exe 27->50         started        171 Antivirus detection for dropped file 29->171 173 Detected unpacking (changes PE section rights) 29->173 175 Detected unpacking (overwrites its own PE header) 29->175 177 Injects a PE file into a foreign processes 29->177 52 G88YF2OSjtZnQWzEwaCkrs6E.exe 29->52         started        179 Multi AV Scanner detection for dropped file 33->179 181 Machine Learning detection for dropped file 33->181 file8 signatures9 process10 dnsIp11 147 5.182.38.138 VMAGE-ASRU Russian Federation 41->147 149 t.me 149.154.167.99, 443, 49714 TELEGRAMRU United Kingdom 41->149 151 116.203.165.60, 2087, 49717 HETZNER-ASDE Germany 41->151 121 C:\Users\user\AppData\...\softokn3[1].dll, PE32 41->121 dropped 123 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 41->123 dropped 125 C:\Users\user\AppData\...\mozglue[1].dll, PE32 41->125 dropped 131 9 other files (5 malicious) 41->131 dropped 183 Multi AV Scanner detection for dropped file 41->183 185 Detected unpacking (changes PE section rights) 41->185 187 Detected unpacking (overwrites its own PE header) 41->187 197 5 other signatures 41->197 189 Contains functionality to inject code into remote processes 46->189 191 Injects a PE file into a foreign processes 46->191 56 8mBRfoLYC4bdJlKUBBNw7kY8.exe 46->56         started        59 iHtw8AirPPkTco5UrXdhuJBC.exe 48->59         started        127 C:\Users\user\AppData\...\8225980939.exe, PE32 52->127 dropped 129 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 54->129 dropped 193 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->193 195 Sample uses process hollowing technique 54->195 62 3WxcbxRtFCKbqRWnOzKjhNGy.exe 54->62         started        64 Ey7T7HX8IOJJhLYsH8xKcajp.exe 54->64         started        66 Broom.exe 54->66         started        69 2 other processes 54->69 file12 signatures13 process14 dnsIp15 103 C:\Users\user\AppData\...\7173091886.exe, PE32 56->103 dropped 105 C:\Users\user\AppData\Local\...\s51[1], PE32 56->105 dropped 107 C:\Users\user\AppData\Local\...\s51[1], PE32 56->107 dropped 71 cmd.exe 56->71         started        153 script.google.com 142.251.33.110 GOOGLEUS United States 59->153 155 googlehosted.l.googleusercontent.com 172.217.14.193 GOOGLEUS United States 59->155 109 C:\Users\user\AppData\...\6403408428.exe, PE32 59->109 dropped 111 C:\Users\user\AppData\Local\...\s51[2], PE32 59->111 dropped 73 cmd.exe 59->73         started        113 C:\Users\user\AppData\...\6384659780.exe, PE32 62->113 dropped 115 C:\Users\user\AppData\Local\...\s51[1], PE32 62->115 dropped 75 Conhost.exe 62->75         started        117 C:\Users\user\AppData\...\3198785141.exe, PE32 64->117 dropped 119 C:\Users\user\AppData\Local\...\s51[4], PE32 64->119 dropped 157 Multi AV Scanner detection for dropped file 66->157 file16 signatures17 process18 process19 77 7173091886.exe 71->77         started        81 conhost.exe 71->81         started        83 6403408428.exe 73->83         started        85 conhost.exe 73->85         started        file20 133 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 77->133 dropped 203 Multi AV Scanner detection for dropped file 77->203 87 WerFault.exe 77->87         started        89 WerFault.exe 83->89         started        91 WerFault.exe 83->91         started        signatures21 process22 process23 93 Conhost.exe 87->93         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 21:19:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbbjpt2ls77nifxxqpat35vuogcbjz4kzhyhw6yk2gvzyuukk7dq._file
Verdict:
malicious
Similar samples:
07105387c83e9e9d6d893780443d355c7e5ddadc74b5e51fc1532da74fa6b060
Amadey
08dfe704ee9001d625c1ff19f0a1805cf760d014af5a3cc0b5aa3b8d128645c7
Amadey
3c36a35096a0e4ad330d8ae5953d844db3af5d0fa1780782a6a1adf32550fda5
Amadey
5c58a49c4390a1727fe88f652d72f5362b60aec3f3d53f08039a40e83a3bd0a8
Amadey
cde70eb3c36de17b4a4113bfe70154973ea9aa16e0e1528a58fce12331a6c4f6
Amadey
dd225dc0284234d7ec035b06461bb9e15a5851fa4414d0a3c67541297bef8c64
Amadey
dfb0cb2008c1605f4e9f67fc3c4fe0a52f0f0e6634d55e250cd2604d982f8676
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/231108-z56dmsdf8w/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
197399ce5fdea480b4dcf903547474e414b7b12b61beef6bf9a658fc36c48ffa
MD5 hash:
c8f83b5933c2fc73f9fdb94f2f65b1de
SHA1 hash:
dbb6d4619499ded3969402c83cc0cf8ccaad0e93
Link:
https://www.unpac.me/results/f8e5f2a5-f9f9-42a4-840a-86cc6f2f1050/
SH256 hash:
304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7
MD5 hash:
5b5e94c98e5ac70ad03a0fb91a6c2e71
SHA1 hash:
aa06e15c910dfd1ba642ac78a7957972afa855a8
Link:
https://www.unpac.me/results/f8e5f2a5-f9f9-42a4-840a-86cc6f2f1050/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/304297cf4b97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2729008/

Comments