MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c
SHA3-384 hash: e3d027ccac17c7b3ae6605c2757265f791ff996b9bdff6f34857af329a878c2c540abee7040f8f2968c1dfd841e1e71d
SHA1 hash: 1846e85a730fc082bcbd202f6c1c2d0ac571ec68
MD5 hash: b79f1dc9315a50d3424caafc78df3c72
humanhash: don-seven-seventeen-fish
File name:SecuriteInfo.com.generic.ml.7966.9684
Download: download sample
Signature Amadey
Create hunting rule
File size:5'858'552 bytes
First seen:2021-09-28 22:47:30 UTC
Last seen:2021-11-25 12:23:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:8Sijb2n3E8nT3MeZrZh5osN8k5DzL6JY2Ewd7qECWmTRm/nPcMj:CGE8nT3Hh5oe88DzLfoxHmTgc6
Threatray 4 similar samples on MalwareBazaar
TLSH T1BE46123BF264A53EC4AE1B3145B392509937BA64B81A8C2F07FC390DCF765601E3E656
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter SecuriteInfoCom
Tags:Amadey exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.13/g4MbvE/index.php https://threatfox.abuse.ch/ioc/227531/

Intelligence

File Origin
# of uploads :
3
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.generic.ml.7966.9684
Verdict:
Suspicious activity
Analysis date:
2021-09-28 22:50:45 UTC
Tags:
installer
Link:
https://app.any.run/tasks/56a02aa9-e09e-469b-9b54-221a8ae8558e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192735/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

SecuriteInfo.com.generic.ml.7966.9684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/779e70c2-2f83-4033-8b20-d0131fc648ab
Result
Threat name:
Amadey RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860341
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadey bot
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492770 Sample: SecuriteInfo.com.generic.ml... Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 50 65.108.1.219, 28593, 49918, 50074 ALABANZA-BALTUS United States 2->50 52 gtm-cn-4590x3tmp01.gtm-a2b4.com 47.91.67.36, 49781, 49782, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 2->52 54 5 other IPs or domains 2->54 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected RedLine Stealer 2->64 66 5 other signatures 2->66 10 SecuriteInfo.com.generic.ml.7966.exe 2 2->10         started        signatures3 process4 file5 46 C:\...\SecuriteInfo.com.generic.ml.7966.tmp, PE32 10->46 dropped 13 SecuriteInfo.com.generic.ml.7966.tmp 3 13 10->13         started        process6 file7 48 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->48 dropped 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->72 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->74 17 SecuriteInfo.com.generic.ml.7966.exe 2 13->17         started        signatures8 process9 file10 28 C:\...\SecuriteInfo.com.generic.ml.7966.tmp, PE32 17->28 dropped 20 SecuriteInfo.com.generic.ml.7966.tmp 5 118 17->20         started        process11 file12 30 C:\Users\user\...\disksyncer.exe (copy), PE32 20->30 dropped 32 C:\Users\...\windowsprintersupport.dll (copy), PE32+ 20->32 dropped 34 C:\Users\user\AppData\...\is-B1OBN.tmp, PE32+ 20->34 dropped 36 46 other files (none is malicious) 20->36 dropped 23 disksyncer.exe 2 22 20->23         started        process13 dnsIp14 56 185.215.113.13, 49738, 49739, 49741 WHOLESALECONNECTIONSNL Portugal 23->56 58 185.215.113.36, 49740, 49770, 80 WHOLESALECONNECTIONSNL Portugal 23->58 38 C:\...\DebasedSeptenary_2021-09-29_00-21.exe, PE32 23->38 dropped 40 DebasedSeptenary_2021-09-29_00-21[1].exe, PE32 23->40 dropped 42 C:\Users\user\AppData\...\main_signed1[1].exe, PE32 23->42 dropped 44 C:\ProgramData\...\main_signed1.exe, PE32 23->44 dropped 68 Creates autostart registry keys with suspicious names 23->68 70 Creates multiple autostart registry keys 23->70 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 15:49:39 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbbjfswrybkvftf5neo6jcdfzz2tox36mao3m2z7lswq7dzjjvwa._file
Verdict:
malicious
Similar samples:
2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d
Amadey
4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
Amadey
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
Amadey
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9
Amadey
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210928-2q4mlsdbd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d100e20b1a3508b4aed1b780dbf18456d101236252ebbeb523d37e06fe6e0bdf
MD5 hash:
77f87b188f80f4ca3bef70cd70924898
SHA1 hash:
0641285010f76ef96992159341f4068719d55326
Link:
https://www.unpac.me/results/4a925196-7617-42ec-ab22-e365d9b883d7/
SH256 hash:
c32e373c1f37433aa8b3caeeb005a731913fa7b47af361e22213dc035a618e71
MD5 hash:
b63120e82a1a9e5754211ab2e7149f3f
SHA1 hash:
abb845df310e6fe4cec1e6f081e7d880e6c76bbd
Link:
https://www.unpac.me/results/4a925196-7617-42ec-ab22-e365d9b883d7/
SH256 hash:
e2803ebdff1bda251df22d05b7b1f84f1128bcb94ba1e6c89212c13a3ff4de67
MD5 hash:
2c3a20b91ed6e0581a1cb604c710a682
SHA1 hash:
90403ddc9d8b904ecc599cba15ec64c46717a71d
Link:
https://www.unpac.me/results/4a925196-7617-42ec-ab22-e365d9b883d7/
SH256 hash:
8d911d16cca11a410253d3402b15441e6310f71b76971c084aa0aab8d0833316
MD5 hash:
9bee6907ed872735649ad85b640f11a4
SHA1 hash:
72ea389a1bd4e1a936bb94a558a010fd5df7358c
Link:
https://www.unpac.me/results/4a925196-7617-42ec-ab22-e365d9b883d7/
SH256 hash:
384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c
MD5 hash:
b79f1dc9315a50d3424caafc78df3c72
SHA1 hash:
1846e85a730fc082bcbd202f6c1c2d0ac571ec68
Link:
https://www.unpac.me/results/4a925196-7617-42ec-ab22-e365d9b883d7/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/384292cad1c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1647063/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192735/

Comments