MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6
SHA3-384 hash: 92ad62722e03d1e10c41715ce24933f72d4dc9acbb109000bc602a364619db7510be5f03265293d0c8cebdf3e1516ea9
SHA1 hash: 39700db2301d10fa7a6c9ee37985eb30bb060c6d
MD5 hash: a7cd5b96a37ef2f06e2c8c72c2508259
humanhash: artist-north-muppet-fifteen
File name:a7cd5b96a37ef2f06e2c8c72c2508259
Download: download sample
Signature Amadey
Create hunting rule
File size:1'948'160 bytes
First seen:2024-02-14 17:01:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:xiKi2E914qcly/zSWxnkgFiJ8oO4DnNwWELF/pLzxLZ6+u+qfj9UMJTBayb:6z4q4RngQqozS/LtZ6+g79ZMy
TLSH T11395338F3E6B8EA2F9AC5471D0014796536C2EC464A705BD708866ED474BF52EAF3CE0
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
540
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6.exe
Verdict:
Malicious activity
Analysis date:
2024-02-14 17:02:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f3967a5-65ec-4a7e-a50a-654e9f3cd522

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476222/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Launching the process to change network settings
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/65ccf212ac375bec15e71dca/reports/53eef9c0-1e69-430c-85a5-84b9bd1b4624/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1d7fc76f-8718-41e2-af91-091baf9dc44a
Result
Threat name:
Amadey, RisePro Stealer, SmokeLoader, St
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1392340
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files with benign system names
Exclude list of file types from scheduled, custom, and real-time scanning
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Capture Wi-Fi password
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1392340 Sample: FV0mIIfKwQ.exe Startdate: 14/02/2024 Architecture: WINDOWS Score: 100 188 Found malware configuration 2->188 190 Malicious sample detected (through community Yara rule) 2->190 192 Antivirus detection for URL or domain 2->192 194 20 other signatures 2->194 9 explorgu.exe 1 30 2->9         started        14 vzxmpncsktsu.exe 2->14         started        16 FV0mIIfKwQ.exe 5 2->16         started        18 6 other processes 2->18 process3 dnsIp4 182 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 9->182 184 91.215.85.209 PINDC-ASRU Russian Federation 9->184 186 2 other IPs or domains 9->186 144 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 9->144 dropped 146 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 9->146 dropped 148 C:\Users\user\AppData\...\InstallSetup3.exe, PE32 9->148 dropped 154 9 other malicious files 9->154 dropped 264 Multi AV Scanner detection for dropped file 9->264 266 Detected unpacking (changes PE section rights) 9->266 268 Creates multiple autostart registry keys 9->268 286 3 other signatures 9->286 20 987123.exe 9->20         started        23 ladas.exe 9->23         started        27 InstallSetup3.exe 9->27         started        31 3 other processes 9->31 150 C:\Windows\Temp\gdlhajffugck.sys, PE32+ 14->150 dropped 270 Injects code into the Windows Explorer (explorer.exe) 14->270 272 Modifies the context of a thread in another process (thread injection) 14->272 274 Sample is not signed and drops a device driver 14->274 29 explorer.exe 14->29         started        152 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 16->152 dropped 276 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->276 278 Tries to evade debugger and weak emulator (self modifying code) 16->278 280 Tries to detect virtualization through RDTSC time measurements 16->280 282 Machine Learning detection for dropped file 18->282 284 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->284 288 3 other signatures 18->288 file5 signatures6 process7 dnsIp8 222 Detected unpacking (changes PE section rights) 20->222 224 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->224 226 Maps a DLL or memory area into another process 20->226 242 2 other signatures 20->242 33 explorer.exe 20->33 injected 174 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 23->174 126 C:\Users\user\...\v9qrkHDm7a03Ex07U4E0.exe, PE32 23->126 dropped 128 C:\Users\user\...\lp_rx2rV5nKm4r2GsS3s.exe, PE32 23->128 dropped 130 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 23->130 dropped 142 4 other malicious files 23->142 dropped 228 Binary is likely a compiled AutoIt script file 23->228 230 Tries to steal Mail credentials (via file / registry access) 23->230 232 Found many strings related to Crypto-Wallets (likely being stolen) 23->232 244 11 other signatures 23->244 38 schtasks.exe 23->38         started        40 schtasks.exe 23->40         started        176 185.172.128.127 NADYMSS-ASRU Russian Federation 27->176 178 185.172.128.90 NADYMSS-ASRU Russian Federation 27->178 132 C:\Users\user\AppData\Local\...\INetC.dll, PE32 27->132 dropped 134 C:\Users\user\AppData\Local\...\nsrE399.tmp, PE32 27->134 dropped 136 C:\Users\user\AppData\...\BroomSetup.exe, PE32 27->136 dropped 138 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 27->138 dropped 42 nsrE399.tmp 27->42         started        44 BroomSetup.exe 27->44         started        180 142.202.242.43 1GSERVERSUS Reserved 29->180 234 System process connects to network (likely due to code injection or exploit) 29->234 236 Benign windows process drops PE files 29->236 238 Query firmware table information (likely to detect VMs) 29->238 140 C:\ProgramData\...\vzxmpncsktsu.exe, PE32+ 31->140 dropped 240 Multi AV Scanner detection for dropped file 31->240 46 rundll32.exe 25 31->46         started        48 sc.exe 31->48         started        50 sc.exe 31->50         started        52 2 other processes 31->52 file9 signatures10 process11 dnsIp12 156 91.215.85.120 PINDC-ASRU Russian Federation 33->156 158 185.172.128.19 NADYMSS-ASRU Russian Federation 33->158 162 2 other IPs or domains 33->162 90 C:\Users\user\AppData\Roaming\tsjjhrj, PE32 33->90 dropped 92 C:\Users\user\AppData\Local\TempB9.exe, PE32 33->92 dropped 94 C:\Users\user\AppData\Local\Temp\9DBF.exe, PE32 33->94 dropped 102 6 other malicious files 33->102 dropped 196 System process connects to network (likely due to code injection or exploit) 33->196 198 Found many strings related to Crypto-Wallets (likely being stolen) 33->198 200 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->200 54 RageMP131.exe 33->54         started        68 6 other processes 33->68 58 conhost.exe 38->58         started        60 conhost.exe 40->60         started        160 185.172.128.79 NADYMSS-ASRU Russian Federation 42->160 96 C:\Users\user\AppData\...\softokn3[1].dll, PE32 42->96 dropped 98 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 42->98 dropped 100 C:\Users\user\AppData\...\mozglue[1].dll, PE32 42->100 dropped 104 9 other files (5 malicious) 42->104 dropped 202 Detected unpacking (changes PE section rights) 42->202 204 Detected unpacking (overwrites its own PE header) 42->204 206 Tries to steal Mail credentials (via file / registry access) 42->206 218 2 other signatures 42->218 208 Multi AV Scanner detection for dropped file 44->208 62 cmd.exe 44->62         started        210 Tries to steal Instant Messenger accounts or passwords 46->210 212 Uses netsh to modify the Windows network and firewall settings 46->212 214 Tries to harvest and steal ftp login credentials 46->214 216 Tries to harvest and steal WLAN passwords 46->216 71 2 other processes 46->71 64 conhost.exe 48->64         started        66 conhost.exe 50->66         started        73 2 other processes 52->73 file13 signatures14 process15 dnsIp16 108 C:\Users\user\...\bfg3H3KPIFNxiQxjqcG8.exe, PE32 54->108 dropped 110 C:\Users\user\...\T9IvuTVJsnTeg7eMtu7f.exe, PE32 54->110 dropped 112 C:\Users\user\...behaviorgraphVBUMfEASD5oqlbPLqnd.exe, PE32 54->112 dropped 122 4 other malicious files 54->122 dropped 246 Detected unpacking (changes PE section rights) 54->246 248 Tries to detect sandboxes and other dynamic analysis tools (window names) 54->248 250 Tries to steal Mail credentials (via file / registry access) 54->250 260 4 other signatures 54->260 75 conhost.exe 62->75         started        77 chcp.com 62->77         started        79 schtasks.exe 62->79         started        170 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 68->170 172 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 68->172 114 C:\Users\user\...\pOtXZSPPovokyzihDaeq.exe, PE32 68->114 dropped 116 C:\Users\user\...\ayq9bmQ5pqZml0yBOptp.exe, PE32 68->116 dropped 118 C:\Users\user\...\KHylC98yOHXRfjYQc649.exe, PE32 68->118 dropped 124 15 other malicious files 68->124 dropped 252 Multi AV Scanner detection for dropped file 68->252 254 Binary is likely a compiled AutoIt script file 68->254 256 Tries to harvest and steal browser information (history, passwords, etc) 68->256 262 2 other signatures 68->262 81 2E19.exe 68->81         started        120 C:\Users\user\...\246122658369_Desktop.zip, Zip 71->120 dropped 258 Found many strings related to Crypto-Wallets (likely being stolen) 71->258 86 conhost.exe 71->86         started        88 conhost.exe 71->88         started        file17 signatures18 process19 dnsIp20 164 151.197.240.154 UUNETUS United States 81->164 166 109.87.25.148 TRIOLANUA Ukraine 81->166 168 7 other IPs or domains 81->168 106 C:\ProgramData\Drivers\csrss.exe, PE32 81->106 dropped 220 Creates multiple autostart registry keys 81->220 file21 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-14 17:02:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=giz6du64prz6uucsuu5y4z3grwx4l6cn3qqtzc7v5u2juixeqw3a._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:lumma family:risepro family:smokeloader family:stealc family:xmrig backdoor bootkit discovery evasion infostealer miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/240214-vj4kpshb47/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
DcRat
Lumma Stealer
RisePro
SmokeLoader
Stealc
xmrig
Malware Config
C2 Extraction:
http://185.215.113.32
193.233.132.62
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://185.172.128.79
https://resergvearyinitiani.shop/api
Unpacked files
SH256 hash:
376de1a6279015f27669fc3af6769b07bf2169eff813970213167156215ab131
MD5 hash:
4976ba0306f1e3880d4270ac1e696dd8
SHA1 hash:
289157961f1e5b339e699e31f500ee9a7ad00ccb
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/2a8479e1-e3e3-4730-b0e0-b830c9f2366c/
SH256 hash:
3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6
MD5 hash:
a7cd5b96a37ef2f06e2c8c72c2508259
SHA1 hash:
39700db2301d10fa7a6c9ee37985eb30bb060c6d
Link:
https://www.unpac.me/results/2a8479e1-e3e3-4730-b0e0-b830c9f2366c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3233e1d3dc7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3233e1d3dc7c73ea5052a53b8e67668dafc5f84ddc213c8bf5ed349a22e485b6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
URLhaus
https://urlhaus.abuse.ch/url/2759927/
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/
Cape
Cape
https://www.capesandbox.com/analysis/476222/

Comments


Avatar
zbet commented on 2024-02-14 17:01:34 UTC

url : hxxp://185.215.113.45/mine/amert.exe