MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 306be28465d999ceaf119fcd5d5a120d59d68beca4183369f5a3a3e1b0d9abde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	306be28465d999ceaf119fcd5d5a120d59d68beca4183369f5a3a3e1b0d9abde
SHA3-384 hash:	c95f79d5e7e1e0c9d81db170ec657842584a8a1de8382914e87ba6fa3fc923e0aa9658b72bb2671452d1a869dd67b5eb
SHA1 hash:	436d78fd912b6db2f7ddd8c1502a579b16b6806e
MD5 hash:	0a40867418d1c81d3b4a6a7f6d5b84af
humanhash:	summer-white-autumn-arizona
File name:	0a40867418d1c81d3b4a6a7f6d5b84af
Download:	download sample
Signature	Amadey Create hunting rule
File size:	346'112 bytes
First seen:	2022-06-21 19:53:23 UTC
Last seen:	2022-06-21 20:32:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dbe7c866442b2c90ddc4d147097c4eb3 (4 x RedLineStealer, 1 x Amadey, 1 x SystemBC)
ssdeep	6144:LbVN0auIu9z5tN0hR5WuGMDW9nkk10CNqEPiWNqQuhWyDFJNLhU:LbVmauR5tNUjWuT8kCJ2WNqQuhpXN
Threatray	496 similar samples on MalwareBazaar
TLSH	T18374BE00BA90C435F0F711F889B69368B92E7AE19B2850CF52D466FE57346E4EC3275B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	25ac1370399b9b91 (36 x Amadey, 28 x Smoke Loader, 17 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

768

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/282104/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.27201.25675.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Running batch commands

Launching a process

Creating a window

Creating a file

Delayed reading of the file

Sending an HTTP POST request to an infection source

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/22217/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62b224ea1fcdba4e1a45bec0/reports/bce80bc0-7bca-4782-be87-195ed4f34461/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Deyma

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/348127ff-7d98-47d4-8bcb-001a6d25aea2

Result

Threat name:

Amadey

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1017468

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Posts data to a JPG file (protocol mismatch)

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Amadeys stealer DLL

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/306be28465d999ceaf119fcd5d5a120d59d68beca4183369f5a3a3e1b0d9abde/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-06-21 19:54:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gbv6fbdf3gm45lyrt7gv2wqsbvm5nc7muqmdg2pvuor6dmgzvppa._file

Verdict:

malicious

Amadey

26543b2a6390907fd826b54e7f042e309b8bb03e1f77a8f5328ec22f160c25c2

Amadey

367f3a5a589ebb253496871b6b2d4cc956134e22c1b5d41edb0c19c890176a1f

Amadey

795ad9d254028b8fcc3f3e51c8501903214cdf27bf769dabccf88cae723bfb68

Amadey

904fd9db22a234ac854e7a95447ce3a9653dddd34aa76d1fbfb2a663a519245d

Amadey

9ec16b7ad0ac9eb821c6c037451d127e652cde49c6881a948503bc98f5f51111

Amadey

b22c3cd5ceb80a740708071c128aafa21805bd0c12759fff78cf319d498f5579

Amadey

df640367b49da9d6125891744014fdc2680c51c521d9890b16ef037ab10d861a

Amadey

+ 486 additional samples on MalwareBazaar

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220621-ymhzysecb7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Checks computer location settings

Loads dropped DLL

Reads local data of messenger clients

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Amadey

Detect Amadey credential stealer module

suricata: ET MALWARE Amadey CnC Check-In

Malware Config

C2 Extraction:

185.215.113.15/Lkb2dxj3/index.php

Unpacked files

SH256 hash:

4b1ba21778d3a9769fbd44c4f70ce8e917582936c47d48cd54c3f6edc1b3cbca

MD5 hash:

acb89a2f1798775fb689240900d29ce0

SHA1 hash:

0ff10b411da63dd515cb1fd81d2421fe9517399b

Link:

https://www.unpac.me/results/aebb89b7-886c-4a10-9ad5-0fa2ea382854/

SH256 hash:

306be28465d999ceaf119fcd5d5a120d59d68beca4183369f5a3a3e1b0d9abde

MD5 hash:

0a40867418d1c81d3b4a6a7f6d5b84af

SHA1 hash:

436d78fd912b6db2f7ddd8c1502a579b16b6806e

Link:

https://www.unpac.me/results/aebb89b7-886c-4a10-9ad5-0fa2ea382854/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/306be28465d9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/306be28465d999ceaf119fcd5d5a120d59d68beca4183369f5a3a3e1b0d9abde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.