MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7
SHA3-384 hash: dc58b84e42b4c6bd3561a2e2aa7b74cfb817d177bcaa90ac6ca89795babf1b69066d87e49ebb6276529f95aabe826bc5
SHA1 hash: aaefd6d55444d9c2112fb67f19f5b42e994b6db1
MD5 hash: 396c679d30f954a12bccb4fed4eb926b
humanhash: massachusetts-idaho-hamper-triple
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'909'760 bytes
First seen:2024-03-20 13:42:14 UTC
Last seen:2024-03-20 15:37:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:ZEIXBocHOIDvbjE2Xvvok3q14KOjtYsfRawgG:ZYOOIDvbjE0voka14TjJfkl
TLSH T14E9533005BF7C92AEDCBABF8E7A557D63761A6043620F31D7869420A0BBDDEC53150CA
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.45/mine/amert.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
372
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7.exe
Verdict:
Malicious activity
Analysis date:
2024-03-20 13:45:12 UTC
Tags:
amadey botnet stealer loader redline evasion exela python
Link:
https://app.any.run/tasks/2e4b1063-0601-427f-97a5-d64a5434f200

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2406.18553.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching the process to change network settings
Sending an HTTP GET request
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Possible injection to a system process
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65fae7e9757c624818b3ed92/reports/8a43a40c-e6f1-426e-99b3-14fa93ce66b8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f93be6d6-205b-4790-a22a-0242c5528ace
Result
Threat name:
LummaC, Python Stealer, Amadey, LummaC S
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1412444
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Gathers network related connection and port information
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected LummaC Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1412444 Sample: file.exe Startdate: 20/03/2024 Architecture: WINDOWS Score: 100 171 Multi AV Scanner detection for domain / URL 2->171 173 Found malware configuration 2->173 175 Malicious sample detected (through community Yara rule) 2->175 177 27 other signatures 2->177 10 explorgu.exe 2 62 2->10         started        15 file.exe 5 2->15         started        17 MPGPH131.exe 2->17         started        19 2 other processes 2->19 process3 dnsIp4 127 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 10->127 129 91.215.85.131 PINDC-ASRU Russian Federation 10->129 135 3 other IPs or domains 10->135 111 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->111 dropped 113 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->113 dropped 115 C:\Users\user\AppData\Local\...\green.exe, PE32 10->115 dropped 123 30 other malicious files 10->123 dropped 211 Antivirus detection for dropped file 10->211 213 Multi AV Scanner detection for dropped file 10->213 215 Detected unpacking (changes PE section rights) 10->215 229 5 other signatures 10->229 21 judith1234.exe 10->21         started        25 osminog.exe 2 10->25         started        27 random.exe 10->27         started        29 3 other processes 10->29 117 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 15->117 dropped 217 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->217 219 Tries to evade debugger and weak emulator (self modifying code) 15->219 221 Tries to detect virtualization through RDTSC time measurements 15->221 223 Machine Learning detection for dropped file 17->223 225 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->225 131 23.51.58.94 TMNET-AS-APTMNetInternetServiceProviderMY United States 19->131 133 185.93.1.246 CDN77GB Czech Republic 19->133 119 SystemMechanic_548...38868BD1.exe (copy), PE32 19->119 dropped 121 C:\Users\user\AppData\Local\...\BITA5C3.tmp, PE32 19->121 dropped 227 Benign windows process drops PE files 19->227 file5 signatures6 process7 file8 99 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 21->99 dropped 101 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 21->101 dropped 103 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->103 dropped 109 32 other files (31 malicious) 21->109 dropped 179 Multi AV Scanner detection for dropped file 21->179 181 Machine Learning detection for dropped file 21->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->183 31 stub.exe 21->31         started        185 Found many strings related to Crypto-Wallets (likely being stolen) 25->185 187 Contains functionality to inject code into remote processes 25->187 189 Writes to foreign memory regions 25->189 191 LummaC encrypted strings found 25->191 36 RegAsm.exe 25->36         started        38 RegAsm.exe 25->38         started        50 2 other processes 25->50 105 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 27->105 dropped 107 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 27->107 dropped 193 Detected unpacking (changes PE section rights) 27->193 195 Found stalling execution ending in API Sleep call 27->195 197 Creates multiple autostart registry keys 27->197 201 3 other signatures 27->201 40 schtasks.exe 27->40         started        42 schtasks.exe 27->42         started        199 System process connects to network (likely due to code injection or exploit) 29->199 203 2 other signatures 29->203 44 rundll32.exe 25 29->44         started        46 RegAsm.exe 29->46         started        48 conhost.exe 29->48         started        signatures9 process10 dnsIp11 137 208.95.112.1 TUT-ASUS United States 31->137 139 185.199.108.133 FASTLYUS Netherlands 31->139 145 2 other IPs or domains 31->145 97 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 31->97 dropped 147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->147 149 Tries to harvest and steal browser information (history, passwords, etc) 31->149 151 Modifies the windows firewall 31->151 169 2 other signatures 31->169 52 cmd.exe 31->52         started        54 cmd.exe 31->54         started        56 cmd.exe 31->56         started        68 14 other processes 31->68 141 172.67.217.100 CLOUDFLARENETUS United States 36->141 153 Query firmware table information (likely to detect VMs) 36->153 155 Found many strings related to Crypto-Wallets (likely being stolen) 36->155 157 Tries to steal Crypto Currency Wallets 36->157 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->161 59 conhost.exe 40->59         started        61 conhost.exe 42->61         started        163 Tries to steal Instant Messenger accounts or passwords 44->163 165 Uses netsh to modify the Windows network and firewall settings 44->165 167 Tries to harvest and steal ftp login credentials 44->167 63 powershell.exe 44->63         started        66 netsh.exe 2 44->66         started        143 4.185.137.132 LEVEL3US United States 46->143 file12 signatures13 process14 file15 70 systeminfo.exe 52->70         started        83 5 other processes 52->83 73 WMIC.exe 54->73         started        75 conhost.exe 54->75         started        209 Tries to harvest and steal WLAN passwords 56->209 85 2 other processes 56->85 125 C:\Users\user\...\246122658369_Desktop.zip, Zip 63->125 dropped 77 conhost.exe 63->77         started        79 conhost.exe 66->79         started        81 tasklist.exe 68->81         started        87 25 other processes 68->87 signatures16 process17 signatures18 205 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 70->205 89 WmiPrvSE.exe 70->89         started        207 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 73->207 91 Conhost.exe 81->91         started        93 net1.exe 83->93         started        95 quser.exe 83->95         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-03-20 13:43:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=glwrz3pycpq2e7vn7yoa7vqstpclwgscxmaqxtxpdxdtdql35c3q._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:zgrat botnet:livetraffic evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/240320-qz8gdahg48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.32
4.185.137.132:1632
https://resergvearyinitiani.shop/api
https://relevantvoicelesskw.shop/api
Unpacked files
SH256 hash:
37b44e670e322c9c09e168a8dcedc7f972762ee9a2cfe223b374cf87dc30a3f0
MD5 hash:
2a563e018375e9ed06c5298baf532fdd
SHA1 hash:
917ef70b68201d169686d7b68dd30b09dbba1fbc
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/4520f70b-4199-4686-9695-5fa2f08e51cc/
SH256 hash:
32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7
MD5 hash:
396c679d30f954a12bccb4fed4eb926b
SHA1 hash:
aaefd6d55444d9c2112fb67f19f5b42e994b6db1
Link:
https://www.unpac.me/results/4520f70b-4199-4686-9695-5fa2f08e51cc/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32ed1cedf813/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 32ed1cedf813e1a27eadfe1c0fd6129bc4bb1a42bb010bceef1dc731c17be8b7

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2759927/
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments