MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 342d78d9fce8746086118d55415082dd511dd6b0eeaae7800701131e54988678. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 342d78d9fce8746086118d55415082dd511dd6b0eeaae7800701131e54988678
SHA3-384 hash: 71ed0a171ce2e45f4a65b2250b358080b8572ac054ca59434e34047d819b4ffafe51ba65c9d88030cd872b59ae05586a
SHA1 hash: 7b801f08d4a9291e79c7d9f09a979be26e5b0cab
MD5 hash: 38ccec7885c71c930f22ba35f10b72b1
humanhash: red-alabama-arkansas-echo
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:431'104 bytes
First seen:2022-12-09 13:21:06 UTC
Last seen:2022-12-09 13:38:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd021619be333394dbb32a14f86d077c (8 x Smoke Loader, 5 x Amadey, 3 x RedLineStealer)
ssdeep 6144:2sB2LZggUhX0PLs9I6TxzcXvIEkPGnqQ34xOahh6K9W9QtRvded89kTR:2sE1ggoEPg9I6TxsPaIK9W9sgaw
TLSH T17194E0413585C4B2C3621D3B4C25C7E1E93BB83AFB275967F7683B6FAE7229045E2205
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c11edecea6ac8ccc (199 x Amadey, 139 x Smoke Loader, 22 x RedLineStealer)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://31.41.244.253/kara/niga.exe

Intelligence

File Origin
# of uploads :
10
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344711/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Launching cmd.exe command interpreter
Creating a window
Creating a file
Delayed reading of the file
Searching for the window
Adding an access-denied ACE
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6393367c04e0e79bdf41d039/reports/303134c5-ca71-418f-b3ab-5ee6708d5778/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/000692b4-9fa3-457e-b726-ce2f810c58c7
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131422
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764146 Sample: file.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 Antivirus detection for dropped file 2->61 63 4 other signatures 2->63 8 file.exe 4 2->8         started        12 gntuud.exe 2->12         started        process3 file4 37 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 8->37 dropped 39 C:\Users\user\...\gntuud.exe:Zone.Identifier, ASCII 8->39 dropped 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Contains functionality to inject code into remote processes 8->77 14 gntuud.exe 18 8->14         started        signatures5 process6 dnsIp7 47 31.41.244.237 AEROEXPRESS-ASRU Russian Federation 14->47 41 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 14->43 dropped 49 Detected unpacking (changes PE section rights) 14->49 51 Detected unpacking (overwrites its own PE header) 14->51 53 Creates an undocumented autostart registry key 14->53 55 2 other signatures 14->55 19 rundll32.exe 14->19         started        23 cmd.exe 1 14->23         started        25 schtasks.exe 1 14->25         started        file8 signatures9 process10 dnsIp11 45 192.168.2.4 unknown unknown 19->45 65 System process connects to network (likely due to code injection or exploit) 19->65 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->67 69 Tries to steal Instant Messenger accounts or passwords 19->69 71 2 other signatures 19->71 27 conhost.exe 23->27         started        29 cmd.exe 1 23->29         started        31 cacls.exe 1 23->31         started        35 4 other processes 23->35 33 conhost.exe 25->33         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/342d78d9fce8746086118d55415082dd511dd6b0eeaae7800701131e54988678/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 13:22:09 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqwxrwp45b2gbbqrrvkucuec3vir3vvq52vopaahaejr4veyqz4a._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:globaltrc20 botnet:nosh collection infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/221209-ql8j8adc28/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
RedLine
Malware Config
C2 Extraction:
31.41.244.237/jg94cVd30f/index.php
31.41.244.186:4683
185.106.92.214:2515
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f5d769dc-4a99-4eeb-9261-407f958e3883
Unpacked files
SH256 hash:
5c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
MD5 hash:
369321f33d5ffaeeadb4da9f33c78156
SHA1 hash:
fe82623db9ce76ab210c510ac969add839795612
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/1f72fd9f-4871-4e0b-a6af-e5805028a2bf/
Parent samples :
6cafd5d97f4668051c7e77506757ac916087c3178f70f3b59fd0968e8499369b
530d90af107c941c4b214750bd0dc4cd7297f1cc8f1364fab70468d7c8ee7bd9
5c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
7b8b68c28bfafe733052cd00a9d9d17229f0a26baba46d97cde6f0bb4cbb2ebe
9a75f61fd577a3545e4c5abdfa1aca0bd122df23c75351e1572940bcf8a7505e
dff2ca8fdd669045bc8ff312e74621bae2fb2a7d821b074e10cf66ed9dae049f
c87724737d99414c96b59137796aae194b92cbf6cfc26281de3e3e04a35bbae3
a35a3a7620026d61aa7543219d494af8fedfb521056c46209a2b21e9b053a95f
3ca8d13907b86a84b2f4d97b96e393242f64f850e6c62c4d5f58947c962084ef
d1ed9c860a24fcae287dbf5d9d0c09c569ede823122cefed27d21dd68541d492
c20b07f8d71e129d0b81c7b726ff71d91dfcd98eeef46a107a47abfe40716a72
d37653dfda93f31379e74c0e79b936802098133af4dd9dbae7b84bb5a583f1e6
cc6f04a00b431a85e447f122472e92e585b0a8353126334da153251d905ad589
afc8ce1c7675b9af5551610cbd6dec852b1bf77a80c1cd9eace81786901f571b
160af97e68142c8ed61b395e43beda19186a513a1e96d5d282be377c3ef92fe7
9632e27d643501e3c0dd0b772500c007e7e538317c449d2b682a401550958089
4d723b91b1c8b9d86df5dee9ebd94d2f145a6c2bfe745c224808c5c2d86cb310
2a41c122bcde5e515ee7cc893bc4990e3004ed0bd30d5610dbb2e450af15dde3
a0a5c9841577adf8307218dc42f6401448f1255081e42243f334705a488a536b
251769c83fb717c1c894752acd5a918668486048574332b71b76d5743d948bc1
ad9bc0860d147684d0f08cace485f7661e0bd2f15dbae39069740410b6f1ba31
258049f5bc9a060f6150da24bf862e24f4c1793f7464d0690fa8b7aa27f1d712
13b1eb7782f47c6f26cdea7474e9ab80d51c5ec51849d7a9739132f7021b1e4f
425608cd7abc8902204a42ab2c7280915471c1bdcc4d49ff06e7d5a1635e5997
ce8648538dc91f6236cb878a995fba63cfbdfaf4eb3136c2a3d87c346e45fe55
f3a9022b045cf24b4726b310a1094624ffc40f705b628f283cf4e3e2e4db2942
de5e31b6634b068e2c8f48eff809428b53901e39ca7d881c98c19b131e18623f
17f9454d5155260690a7f18849992e65b8f482940ebe31c516bd6e5a42229ffb
353b9f8195b0cd529bdbe2a020b3c5ec8e6082ca799a736740b991ad2c766c20
da03baaf29d5d84a1759242096e58dbb655e6e0f8096190b07afa7295cbdd43a
8f9daf056d5395302abddf8dcc94790704c4142a8667a676ba1d22f21852414b
fb68b8b4ee9607132069a93d4c00f66ba97ff093268f34a35f8f94d7b8228224
ac74e0ff9af73b08e900b85bcf600da52f410c3e32f283047dd20fd5c57597bb
27d5f164e27915bf8ea82b02d05a5cb8f922d7318dae63ffd3dd1e11f64a13a0
1ef3ee6f823b14f517fcf699f8031614d1341f129d7fb0417e7be0f7d1bef5b8
39437a6ab4a870c305ec8e6877bfc3837ee2d50006c707f723df0efb11bede31
78867102c50918967693a8e76a94a57897df54c6581ecc7017e46b44d9636be7
942e6f2c19570d3d78840cfe9c71a5eadc793a88736b9266de4fcd1f30456b98
46ebbc17afa1e9e7e86ac13aeb39b2a1e0f866f681d73a5a8a752f5b9c477d5a
50b4fd877978108f4e1944e3b46fa68b9cdf5e40752e9fe366d9a8fcff5e9404
abfb8689c686ad05177bd8064c528b0209c5882efde367ac71a5f4ef33312dd4
0549e96037003412239cbafb1c787d6b7963dd4b88148a4b631743ee7da9de4a
e16d68f4d811f327f14e337f4a0bfdc616133c2300385a9eac29b272978c1f6a
a3df4ecfcf2a1989377aeca91eb66f0501b28092c1b4031c99de298289215025
654707747a2873856917b4f743f30e240808023251e321c8b571edb8d4914e74
fe3ae8dff0ea995492bd88dde47be8cb04c86e9e3649488e7660dfdf0d50f00f
e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61
f1bde5908f624524c84b90c59a279fd456084ac3c6e660cae869fc045448cc4e
044a27eb5c8df3f63bc55fbfbb66a77238fad8c7fb551821510be67b57c46393
4fbe207b354f6d24d404f0f1edf0562162d016d261b57200ee33f31e2693148b
e16f7c2fe72f16b8abc057b2aa030a93aa0893251af7a8f5c4a5e09dc6d701a1
91114e48c517dfb130aaba4aaf16fa49e63d5c68206f34797651e228319a9652
bf2b57ec5048d574ad425e14ba2b184d6372b245eff964e63c10ff20a516d9a7
93db53c57ea6c3f83713e6a68892c4ae5c801d355b760f0b861fed1bbfa71f75
50c723306cc6e6ac8d86af0a7c22ca56b85426223dce8685e89b69c8c5f8d2b9
ec3f28431cca4a69e07f7e67aa434a9ff4db4600c40f39f9a47e0f74462942dc
f8bdd973686c56d6c5a6c22fe6f02991b0e928e4778796a819118f6d83860e94
fa69ce11f14f54bdcd09dd80227ae4dd67c3571803b5ff71b54e78fe79badb5a
2614d7513823d95cc64215c22788cbe6f5c5cb6dc19ea9227649ad2fdc5958c3
6e2a8c7d73124f53550cbed5ebb92fb968ad3d30e03f90b111edb04c29193b31
53dfeec0fd19b6caf91977f975603c54c1b688f62f767f87f5e5e1402b9117c3
2e7961d09a454c6a95494a2692827a41817cf6af5bc757e64c25be0651fcd7ef
67d33477a01e341bf7b476f9e36006e551680047a51e36ee27144177b43ae279
762aa99b499f8c6091c09a6b4f9d40c5146b0ca7376d6aaf1d1f1a8efa5ac230
5e535fca8f9a9ffc8f15d6cc24ef479929f40c802959f788334898e3e074f87a
cc99e587723fa28c77892b316d7e5825b134c82df55a586015abe95d35cb48ba
81e1e6844fbb26b8858bf5efab95beb40abe5172b7f34b4e5b59372adaf210ab
5303903685c561fea5503c10bcb695e49a53f7b7f520562e4e06dd75f4d2f5f8
4a124cf600ed0be0088de8db6d69f6cefad99f8b23c1a6bccc48314e6dc1f759
655d879e601f9615c0db5cb3b64a16593a55a80a9fcd36bf3010609dc8356043
77bfc0f4bf45082fc3c52c3c10d4394d925c116fda4b3eda7f09151a57ad4010
51d878f00166f0fa41b1d26d3f1f386aae3697fd35bf1a798aecb442eca437c5
35982f0b859274d30989b6e4b8ea1d69121c2918de4e199b15e6150837dcdd14
ddc9cfcd9dcbe8e9de16884c8006dfe71474d825405c9d8d25d6d1a81974040e
5e2895f410894329cc9d00f8bd9654534b4c03bab9ce07d12b4374a1f1323d9a
02420264c1079c4cf2bc6ad9a76735cee6d5ddddd79673f6ff3d4503a8c8eb81
073800cd8cc8699bc5441ea956715ae5df4d694b726df8dd6c0dd3ee74fc4284
aea7b5d1a5d7142341534c0864912f78a9f9b796076109314277f8c5698b4982
b8a686320dd1ee935f06115a15da3f898891db100876576f57853d95e169a2a0
342d78d9fce8746086118d55415082dd511dd6b0eeaae7800701131e54988678
ffb3b5acfac62b042a2670d3e0749c8c26fc4a20c5d7e72abb769a3a3220db7f
b41300b36598c97def7004f3e0a60f52b04c1d78de0edec2c71668e41ed894e5
fd93f2a4b76e61cc062d8e21eab6d17d000e0cae04a9f91ba4a043ef82a2b42b
29095ad33d62e7a596a74363fb3815a3245ae64b198f5a622415b5dcea62e944
927dab0e547bac8286ec7466ed3e6d13dccf154d2cfa94f731eb6d2838704f79
512c0236a45a29db03677250deed0371ea5823146138adcc7d325fcfb8184fd7
9b41459b3890dc8cd4ea04e68bed8dd6670382f66265192226ddc14529ae4fb3
1f736bdeece1c763239893a7d239034e7088c34407c3d795cdfbff374c88e201
034ab7379f6cf6969726fc421e7f8b2681809ec405f7650d8c0bcda937b03c30
ed0519f891d16e2e9b63e1a4e482afa6f14aaa7750ffd8020c403f64c8f2c7b1
7f194e2b209903faaf9d196a319ce521511c272b84bc25225e6381075724c048
3465d495dc0953ddc762915b2f05aca52cc327bf41bf51271b598db527a38c3b
a6180e3db23a15c0fdc3384fbb8d15b9e92d9a97528c7058ce3cc2594f624445
5e0ef07e407d35a25376733bc14cb3a9dcacabdf67fbaa255d1ee986459c77ae
6cbfa468c8a974e84ce594a01d305465c27ed6fe819d71d4a788460d8958f8db
c7e3361a4bc10f432e5331bf637b717dd7ea84d6aed4d1cff6ba09c79414309a
f5d22777baa702c0fde4a0a65fa0577c673a1d0f0bbe00e1d136d3c3c442a594
0ceaa837a2a0aaffbb544d1b51844cf8613a24eae3950cf9baeb7336389b2120
305e06bdb1406a6d9056b8447d1c49829445ddc26f009cc908fe1552f01aadbb
45de2673fd3587125371691c7073f67035edeb8cfe011853e7e0f225d53f6def
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334
945b721fead53302f3a5b90d2aea24b7964aa3eff35785f202305bcb378e7ab7
670c5fb0476f932825ac70d284b92d1422b638f01ba567eb0d6e2da65929aa74
c26e0bbc4dd6a0314138d6f98ac1b4a584cf9593ddf03a3ac55bd35ef052dc86
fe9b1395cd6d9491d427555928b4f5a3fba0adb937e218c42e725a0243748e59
2db05e8695f34c500c001fad41dca393159d77cc661e7436bde49b55b01391b3
f7a18603d90fe4666ff5d913a6cb969183de1172e5873955a6733ab78ddf9623
4f33af84d94ec5e9af635f7d2293f16cd9c0f332980bbb28349713b542448073
608053e2db2ac63271d10f1ea7b9f2a0dff0e8d949177d1edd11c36ba5982078
0ebc390d4627c0b082684bd800659899064e79daa3889a31f501b79a316ba6f6
bc4e9246ba707a23acd225363559b377bed2b2b4813878c22e22bbb381920c20
8b9f005bbf9d9a3638086e4a070e02831e9a53c704e983309cf722429aa296e3
eecfb2caccc6cdc631c31df60a317dcac6c29f9d9145e665906a4f23c7d130f6
eb7626464647e1db0a7ead31610285cc5af48a5502d119361b699972607bc924
1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30
0d7251ac0906802ff2a1ff4bbbadb5544a98be12820a2bbaa82713f95dbbd6b1
53c752d7f64dc733450284942ddebe65fa1b9116b53d2d87e7a207a4286e4cbf
0a9e6a42e4ae83c5d44adb661ba338de65dd8d9c9498e66d5166fbf790a1146c
a56464bde918d7c77a8e2ce1afced7af48ed588ba0c0dbf1ed3db1c6f8d9cd58
fe82be52105f413b7eb3529a3f3ded35ee913e7fe02e7b9070fce1947ce58fdc
83178aca1feb62d5a31dd93e3c471ef317fccc07ee4596aa6e7b1b583077e0e6
fba05effd03e68e946730f969b03d2a2e85b981240254e9b9a0aa1050ff4866e
884aa03c1f1a9015c8a82841c6c86e97ad220012f7d8db74c803188eb37ee027
280ab8a0ca78b36c42f8fe5a09548616b23d1ac44892316b8ea54992c50c061d
fe78755144383644201c0a331f5809f02b5b93be460b001d7a5f58278e30c29a
293fe380f7aa9e0e4b0705f19fbb303bed8f05f8a5f073a911369d4dcbbc25df
4620ec137963cb82e7f1cc80a6af6bd15f294eb9b7e0d32710404e1d49f2bc2e
731c658723ca1d5df6295df26c5927b1c792b11b0b8da91eeca235eeac668b65
5514508f6c2fedd1bfa1a363661d579661c11974339f9bda6d53cf4ce5658023
SH256 hash:
342d78d9fce8746086118d55415082dd511dd6b0eeaae7800701131e54988678
MD5 hash:
38ccec7885c71c930f22ba35f10b72b1
SHA1 hash:
7b801f08d4a9291e79c7d9f09a979be26e5b0cab
Link:
https://www.unpac.me/results/1f72fd9f-4871-4e0b-a6af-e5805028a2bf/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/342d78d9fce8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/342d78d9fce8746086118d55415082dd511dd6b0eeaae7800701131e54988678

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/344711/
  
URLhaus
https://urlhaus.abuse.ch/url/2438947/

Comments