MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3
SHA3-384 hash: b52cc033fd3b751902aed153326e31f1199757184fbcb3f9cde216313e2638618e24f4e45f8e21d7d01cf2b1e19de26a
SHA1 hash: 23cb83c765056bd8f9d0660f8e8e16c88f49486f
MD5 hash: d4484913ee516173679a21711c901b02
humanhash: angel-kansas-delaware-echo
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'908'736 bytes
First seen:2024-08-17 20:40:02 UTC
Last seen:2024-08-17 21:19:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:tlPPyAw22FnAmNdTIX5p6Y6BLMNpuqp1i0VzChGv1s+:tlPPSrdTMp6x1MNpuqpw74vu
Threatray 5 similar samples on MalwareBazaar
TLSH T10B95339D8169B637F4E14AB58788E64102BCB228C1EFC3A06FCDC7568C55CA587F8BC5
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
469
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-17 20:40:17 UTC
Tags:
amadey botnet stealer loader stealc redline metastealer themida cryptbot github zharkbot smokeloader lumma pastebin discord opendir python
Link:
https://app.any.run/tasks/94456267-a7b5-43ff-9cb8-9467e6a818b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.7126.10620.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c10aa4b35234d5cc65f67a
Tags:
Discovery Execution Generic Infostealer Network Stealth Trojan Crypt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66c10aa8b70f08db50c77a0f/reports/053c74fe-0733-4f4f-9aa3-617b885eeb3b/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6391e927-8bd0-44a8-a3b0-ac7b165d8039
Result
Threat name:
Amadey, Cryptbot, Go Injector, PureLog S
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494261
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
Yara detected Go Injector
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1494261 Sample: file.exe Startdate: 17/08/2024 Architecture: WINDOWS Score: 100 147 Multi AV Scanner detection for domain / URL 2->147 149 Found malware configuration 2->149 151 Malicious sample detected (through community Yara rule) 2->151 153 28 other signatures 2->153 10 axplong.exe 46 2->10         started        15 file.exe 5 2->15         started        17 axplong.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 139 154.216.17.4 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 10->139 141 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->141 143 2 other IPs or domains 10->143 119 C:\Users\user\AppData\Local\...\Images.exe, PE32 10->119 dropped 121 C:\Users\user\AppData\...\mobiletrans.exe, PE32+ 10->121 dropped 123 C:\Users\user\AppData\Local\...\runtime.exe, PE32 10->123 dropped 129 19 other malicious files 10->129 dropped 199 Hides threads from debuggers 10->199 201 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->201 203 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->203 21 BattleGermany.exe 10->21         started        25 stealc_default.exe 10->25         started        28 crypteda.exe 1 10->28         started        32 6 other processes 10->32 125 C:\Users\user\AppData\Local\...\axplong.exe, PE32 15->125 dropped 127 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 15->127 dropped 205 Detected unpacking (changes PE section rights) 15->205 207 Tries to evade debugger and weak emulator (self modifying code) 15->207 209 Tries to detect virtualization through RDTSC time measurements 15->209 30 axplong.exe 15->30         started        211 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->211 file5 signatures6 process7 dnsIp8 101 C:\Users\user\AppData\Local\Temp\Tracked, data 21->101 dropped 113 7 other malicious files 21->113 dropped 173 Multi AV Scanner detection for dropped file 21->173 175 Writes many files with high entropy 21->175 34 cmd.exe 21->34         started        131 185.215.113.17 WHOLESALECONNECTIONSNL Portugal 25->131 103 C:\Users\user\AppData\...\softokn3[1].dll, PE32 25->103 dropped 105 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 25->105 dropped 107 C:\Users\user\AppData\...\mozglue[1].dll, PE32 25->107 dropped 115 9 other files (5 malicious) 25->115 dropped 177 Tries to steal Mail credentials (via file / registry access) 25->177 179 Found many strings related to Crypto-Wallets (likely being stolen) 25->179 191 4 other signatures 25->191 181 Antivirus detection for dropped file 28->181 183 Machine Learning detection for dropped file 28->183 193 3 other signatures 28->193 38 RegAsm.exe 28->38         started        40 conhost.exe 28->40         started        185 Detected unpacking (changes PE section rights) 30->185 187 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->187 195 5 other signatures 30->195 133 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 32->133 135 80.249.145.88 SELECTELRU Russian Federation 32->135 137 45.66.231.214 CMCSUS Germany 32->137 109 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 32->109 dropped 111 C:\Users\user\AppData\Local\Temp\Zinc, data 32->111 dropped 117 7 other malicious files 32->117 dropped 189 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->189 197 2 other signatures 32->197 42 RegAsm.exe 1 18 32->42         started        45 cmd.exe 32->45         started        47 Hkbsse.exe 32->47         started        file9 signatures10 process11 dnsIp12 93 C:\Users\user\AppData\Local\...\Community.pif, PE32 34->93 dropped 167 Drops PE files with a suspicious file extension 34->167 169 Writes many files with high entropy 34->169 49 Community.pif 34->49         started        53 cmd.exe 34->53         started        55 conhost.exe 34->55         started        67 7 other processes 34->67 95 C:\Users\user\AppData\...\xakSZKKqzs.exe, PE32 38->95 dropped 97 C:\Users\user\AppData\...\dnwSlb7eLS.exe, PE32 38->97 dropped 57 xakSZKKqzs.exe 38->57         started        59 dnwSlb7eLS.exe 38->59         started        145 20.52.165.210 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 42->145 171 Installs new ROOT certificates 42->171 99 C:\Users\user\AppData\Local\...\Beijing.pif, PE32 45->99 dropped 61 tasklist.exe 45->61         started        63 conhost.exe 45->63         started        65 findstr.exe 45->65         started        file13 signatures14 process15 file16 85 C:\Users\user\AppData\Local\...\SkyPilot.pif, PE32 49->85 dropped 87 C:\Users\user\AppData\Local\...\SkyPilot.js, ASCII 49->87 dropped 89 C:\Users\user\AppData\Local\...\D, data 49->89 dropped 155 Drops PE files with a suspicious file extension 49->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 49->157 159 Writes to foreign memory regions 49->159 165 2 other signatures 49->165 69 cmd.exe 49->69         started        71 schtasks.exe 49->71         started        91 C:\Users\user\AppData\Local\Temp\177479\s, data 53->91 dropped 161 Multi AV Scanner detection for dropped file 57->161 163 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 57->163 73 conhost.exe 57->73         started        75 conhost.exe 59->75         started        77 Conhost.exe 61->77         started        signatures17 process18 process19 79 conhost.exe 69->79         started        81 schtasks.exe 69->81         started        83 conhost.exe 71->83         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-08-17 20:41:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gr24l2ynmeirpjxllofvgk4tdhcprg2yljhsz57o4tjl3qfyy7rq._file
Verdict:
malicious
Similar samples:
1b5db3f79bbd20394a3ecc20c98f4d9d64f829c01184ae7c8e2373196989e439
Amadey
57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4
Amadey
682e5a143bf1041ee0d8cf47c9d8c0aad22cb9fa2cd353dbe367a80011e9a158
Amadey
e294f1b0ec3cff802aaa8be3fc47aa0c1a56cbdc644467503e5b30122954964d
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:stealc botnet:14082024 botnet:816fa botnet:a51500 botnet:buy tg @fatherofcarders botnet:default botnet:fed3aa botnet:livetraffic credential_access defense_evasion discovery evasion execution infostealer pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/240817-zfwsxayckr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Indirect Command Execution
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Lumma Stealer, LummaC
RedLine
RedLine payload
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.16
20.52.165.210:39030
http://185.215.113.17
45.66.231.214:9932
185.215.113.67:21405
88.99.151.68:7200
http://api.garageserviceoperation.com
https://potentioallykeos.shop/api
https://interactiedovspm.shop/api
https://charecteristicdxp.shop/api
https://cagedwifedsozm.shop/api
https://deicedosmzj.shop/api
https://southedhiscuso.shop/api
https://consciousourwi.shop/api
https://weiggheticulop.shop/api
https://tenntysjuxmz.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b09cddc0-6eee-46d0-8909-1a3d0ac103be
Unpacked files
SH256 hash:
a5634c8a6992de27c9c9eeea13cc0d6999dfe00ec1adfca8447cc7a92929b8a8
MD5 hash:
8a30c4e3c1694a6de371ab4aca2f3a4d
SHA1 hash:
558abcf6d64005e8a7be8a7f3d316a291bad9fe6
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/a73ca966-2a0d-4ddf-bbba-5c25ed834ea9/
SH256 hash:
3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3
MD5 hash:
d4484913ee516173679a21711c901b02
SHA1 hash:
23cb83c765056bd8f9d0660f8e8e16c88f49486f
Link:
https://www.unpac.me/results/a73ca966-2a0d-4ddf-bbba-5c25ed834ea9/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3475c5eb0d61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3475c5eb0d611117a6eb5b8b532b9319c4f89b585a4f2cf7eee4d2bdc0b8c7e3

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067427/
  
URLhaus
https://urlhaus.abuse.ch/url/3067442/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments