MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 387575473058c7241ac8c132e42be4a3a8c2320daea44140722c482e021364c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 387575473058c7241ac8c132e42be4a3a8c2320daea44140722c482e021364c7
SHA3-384 hash: be9efb283bdc1835679072e0501f7fea54f74f5c0761d760b01b402e5a6e58b9b5ffc0921b3cc7aa396f5109142858db
SHA1 hash: d80998ceb016d01c27240ee72e849c7fbd3cc4c6
MD5 hash: 0ead3eb3351e9a4c28276d5c7d3c179d
humanhash: white-oven-hot-mike
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:210'944 bytes
First seen:2022-11-27 20:36:46 UTC
Last seen:2022-11-27 22:29:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 33f584fb09425a63c18d9243880232f9 (3 x Smoke Loader, 2 x Tofsee, 2 x Amadey)
ssdeep 3072:1Po9eVyWI/mBOk5c6h9IPRLKrDRYAaYp/oZrdYIIze6zOVuPjYlDejJ5k:+9eZlBsdKrx/4Y5e6zOV3DSJ
Threatray 2'209 similar samples on MalwareBazaar
TLSH T1F124F112F960E032C49609759A38C3E56E7AF9311A719943BF845F7E0F30AC27A7A785
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 24ac137039939b91 (2 x Amadey, 1 x Tofsee)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://193.56.146.77/kara/niga.exe

Intelligence

File Origin
# of uploads :
25
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-27 20:37:28 UTC
Tags:
trojan amadey stealer loader
Link:
https://app.any.run/tasks/54282090-2f57-44b3-9890-50f9af53f6a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339154/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.31411.16814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a file
Delayed reading of the file
Sending an HTTP POST request
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/6383ca715be128ac718f2a64/reports/afc17c5e-7ac4-438c-91d4-53d1daa6f82c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de914f1e-b90e-4db9-b9e8-aa5ad888f9d2
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122053
Signature
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754770 Sample: file.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 2 other signatures 2->49 8 file.exe 4 2->8         started        12 gntuud.exe 2->12         started        14 gntuud.exe 2->14         started        16 2 other processes 2->16 process3 file4 35 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 8->35 dropped 37 C:\Users\user\...\gntuud.exe:Zone.Identifier, ASCII 8->37 dropped 67 Detected unpacking (changes PE section rights) 8->67 69 Detected unpacking (overwrites its own PE header) 8->69 71 Contains functionality to inject code into remote processes 8->71 18 gntuud.exe 18 8->18         started        signatures5 process6 dnsIp7 39 31.41.244.17 AEROEXPRESS-ASRU Russian Federation 18->39 31 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 18->31 dropped 33 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 18->33 dropped 51 Multi AV Scanner detection for dropped file 18->51 53 Detected unpacking (changes PE section rights) 18->53 55 Detected unpacking (overwrites its own PE header) 18->55 57 3 other signatures 18->57 23 rundll32.exe 18->23         started        27 schtasks.exe 1 18->27         started        file8 signatures9 process10 dnsIp11 41 192.168.2.3 unknown unknown 23->41 59 System process connects to network (likely due to code injection or exploit) 23->59 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->61 63 Tries to steal Instant Messenger accounts or passwords 23->63 65 2 other signatures 23->65 29 conhost.exe 27->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/387575473058c7241ac8c132e42be4a3a8c2320daea44140722c482e021364c7/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-27 20:37:09 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hb2xkrzqlddsigwiyezoik7euoumemqnv2secqdsfrec4aqtmtdq._file
Verdict:
malicious
Similar samples:
0836b3f6471ebaf0c31d3a9735aa6d1092c235facfbff1201be0ebba3f9f2ebd
Amadey
922668b01595c1d07b544763225faa1947224ac2d78623793df433e688a1d533
Amadey
94323d580a270c9ea0b8ed7daa9dea97b46166dae00b1d730ec32a0913842cc3
Amadey
a68dcf4d884ec03a27a9295df28029858dd4b6858dc71d29b5c9f66dd73a3a6e
Amadey
ad4dba5922ed9bc38a9c6bd8e79a9363c158acf01840480ce3c9c6701725c189
Amadey
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
Amadey
cd316435a51ca9c74054683309476c16d6c10fbce55dec60a08d5f3ca717a8f7
Amadey
e6dfff250936d9cfeac0a71fd1147d4b290e078ea382e52dba09516f35a1dc68
Amadey
fd19df43d6938bdb12ee4e0ba6350096f048bdbde123767d12fa2c18cc4bfad7
Amadey
+ 2'199 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection spyware stealer trojan
Link:
https://tria.ge/reports/221127-zd5m2aga97/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
Malware Config
C2 Extraction:
31.41.244.17/hfk3vK9/index.php
Unpacked files
SH256 hash:
104bc4ba9cf975a27fc383ee9eff12f6085a73f975f6731f02e85a92acb33cd1
MD5 hash:
49918b4d3003853a39d0b2b8b98a5dc7
SHA1 hash:
7762c7171c9c0930750a4c179014ac5ed6273889
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/a0fb50c6-1e06-405c-b359-3584385f9f40/
Parent samples :
6fd43674da08e9cb4e4a6945c2ac41ae6ec1042cc177343797937465da74e263
529fa3de483ae2cf5e7baa4bc3814af8e1e3080196ce11d6097ed84c4fa9ab80
ad23e2296be46a1000ba32195b11b2e8258d4369a91ed146c6b865816d1e25d3
6a59517bc0735d8437978ab13b7993b26ce793a69146341be32fa71180557aa7
a340ef87388e48372411ef538387442bc20a1d05daa50271a4d423eb227c2a33
8d0e7fdbfda5f3b59992b301a21276364825b628c26be01bd17f5319df625bc8
9ef87b2bc8bfae10e017c5ff603cf1600b1a0830cbbedf1f20fba6be41e2cffe
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e
c8a47f40b677fe913a3bc2c13ab9252790f2ca7492e25a55f553bc62a9f6712c
294b8b4d6e8185e3365b83552186ff8248ffdcfb9c3325d3efbcb7f0cb4f92cd
45c97782c15c48a02539b4c6f5875fc8f5a6af5b32629f549e28a060032efa32
6a8ff340b0778558c143418ebd0cda9ec2a3454142ce3e5dec6e4b5d47609f45
209bad4a03d0983d2c52bf41358d97c31d205b42858ce769c660f9720220b08e
366d6ea002ddc1118ee1bd2c1f0c797bd8a4699517d30867d55d6a29e3ca7d25
0dcfc3b930032d262d92ea5aa282ea1c331e6228f6aebba2b45e54fbe2098cad
0a695099d8c1fb5cbd3802b26ab9d89865e8dd08dc13bff44a7204edecd6597d
b61d968799d67e9061e759856e554974b644f18cba888addb3ced45462291c91
5f22145a6c9eaf18ed703c43b3b8f03b1db4dab9218e06ecbf3d82ae9f9e4d10
6f98e53c34fb0ac52edf9c82ca710191a59c8f52bf0bc4defabe2cc6e884d0bd
7c719af6e45ccff940b1202e03e3efdde9f3dce064384c5e536ca67e3846861b
2a77917f57a08fa5a935003dc71b1f82d13ec9000486006c9dc2e7cc3cb971d4
857bd69297b5939cdc11e2c518c43d015c60c11198c923e828359dfab184f095
ac1b14a61b42f49c95ef6e893877bec973d3108d827535ab4885b051e9fed090
ffa0f7dd952ac81d4b0e77b6ac149c408983ee740d4d76c7a103fd88914faf92
8a75eb40f565ba16ea141ad0473315253ac17c6368ce59506ff6532f219181d1
fc0da7c727a890e450fced0089b195922cdba1b554c24b8c5f32b5c6f16cc147
a0e3a04fa6235d0e6ed113c49061486f7cece9e7f7ce6f999d89433f869f6696
a0174067f15c860a690e420d44706d8bd39cd56194af465105026bd483efb047
46b06cf3946145ad58081131067df324905b03271e8e1a2d215a9eca6feb8e3b
c3729257ee5a85d10e4ae534ad3c485592e5fee3d60bbae1555ef363289f3c1f
947b2d0ca3e4a3d4eefed3239382fb52c87893e7c0d1035307f172e82fe04bd9
cb8ccdb72d2ccc8aa9e1d5ef9eaf0365cada4573d1de36e6505c176fb4b27366
4294a6949aac8f29179fc5cd688c88f52c6b4c5c85fe433ad11fe6e6947737c6
c5193831b8213553f51767e00d377b0ac83dc51811a3d17bdc207599900a8a16
85e29295d954a13c544b56aa377460e3064de6b10d525ceabb87a7c4a6279714
ff0eebe27f89098355d29bd0ac9921fcaebc940699b40a5d5613cd6fea2f4b61
8e155d123f9954004f8525e2adc44bc542b42e5df9c6e3700cefd9b97f79878e
93d165a0eb82ebd15be5755084d4d155db31f7831d382b632f12ca94e2faf3fe
ff4635e166cabb7fcf847eed525a834637aec37bc36a7c5a58c32492f048e3f4
f21799e51a3eb68558511f009ec0cd42695df0a0d83b92dff9541f0aae9e7129
2f3b5d425fe0b25e603d45df96083ee623bcbcd3df09ac0c260d28e1d5f5e174
1aba9ec8b802b12e0100327b1e14f41727fa88907a1d96f90eb28587c011e6ec
1f3cc1109eb5e0e6546da3e2294b2191f3cddd4b8a2af649d6c2503b9a539afb
0fd39b6c19acc283c8f223bb6e55fadece999c874d5175a7971c1e6fd5dd6b65
38e111156ce0c6edfb44fb3b98376d4dca5a6825c6102c8d54584322c9dff92b
dc58ff5f9aa00680d2db6590179ef74921fd67566d3b1cc03f1f4259713b0c52
2f2495990a1e85576f68b5638a10efcdde9000dc3ab5d80662c1bf2b41064a07
b6e46215fa28107873733f5a574dd0a6e49ba8ba2f22bbb35992af169e110d0d
6e9aaded5ff16fd021df120d9a310ffd89a9fd947b914f777063629f26251814
2a1cee476f33a8e2dacc5a300e8d1d700f4f237b5444567289274990d122f629
f4b0f4b4f6c9687bc18e297e510b63e96b548c11d8610d0ef9f1d5c3e9a1c859
0cef22764f306811a4ceadfa4f5982e0db586a1d1174b8cae38a0d0848fc559e
1ba08967b94a3066d9de6040a7ee7f2db2c80e07977d30ff1d8ba24fedfdf6f1
13fcb569d65ffececf86c77de7f1fd70530f62f2dd5d9c73c6cbbc9209c7a295
e6dfff250936d9cfeac0a71fd1147d4b290e078ea382e52dba09516f35a1dc68
15a925076bfe22876522e2042abc851c01a70ec4eff001caf63241f68a87c5f1
b553561126bb1445ae14ee5180b992689725a2d2c3e39217b4fe0870b05cd7ae
788044329e634253171a2674533d1d4d4e3a4c6e743585cff38974346f1a72fe
efc8bc169164f8aa2758a7bda04f017e08552a51490594a828cf1fa3267f09d5
fd19df43d6938bdb12ee4e0ba6350096f048bdbde123767d12fa2c18cc4bfad7
efcf2436a1c1a20eb798db02593889668a5dd36c1406b67343681ba46b64da58
fa4964b4c38a94be144e5253134d3fd3c7eda455da49457d306f08832d0290f2
756b8925821048616069a37cf4cf0e9b50d770ebfe0a9c8a50beeb92919dcb29
dd0435d64c9b73f519e4635928b4e2ca1b2553c0f2ea5014692f101e2361984e
b2bd8a79c9eb59955379885e87d6fac86d5f96c39767a1ba1195b573cbb871e5
f6233aa3efa0bc70c1e23c49745804fecd3546cdb8ec2c3bbff19fe162754a74
cdff31efb1fa1a61cd576c3c183b2ae9b34927736920aa463196ed2c5aa32b76
5d2de95a83de38751787a33f6d8d2977b49ec8a486f1cf75bce68fb6948ad817
387575473058c7241ac8c132e42be4a3a8c2320daea44140722c482e021364c7
f8f3395ef0fc0e5b1ef8b8fc4ef092f81e52db621f2e0f450b478922054f5d45
fe8c092bbee3ffda1d754fbc52a115f694ca55ed4040a7d7c93df8f12d329d11
0d3162fdaad276bb3cb5433ca1f64334566c322791e6242db64837a0430dce77
088ab80b4ef7e5d8c4ef9a8d553df68db472170232181a10a60805e8b51bf6ac
a057ec8fba150beeb7e9d6b1d6d94ae6371ad26d1b9f8914b3d94440f2c0c802
69b662aa182c6c182ae3892da6899986ce5973a909997a1f40a55c6247678bf8
31418d2eba83ce3275af22e7e3c9c98defe62203f14d3f62ca1b0f5d53645620
e5b1b1ede15f58a4a9b20b827009e186d61e582d878700674e881e5d28f7f35d
cc1a15cf26df6973a7572ecd3193f2de7d693a25200a6d5b9b2addb36af89c1f
31c40eb96015fb42f45ad126bb1912465e0f1a7aec5ee1c6f6fedc34a1a36721
37827c5ac7b5b02ca93762fd7a9bbc2dc8896acc4d2ba170bea19f6e680636e3
8f09ba442dab2e7d4251d13409d7f485fe064ae54a21ee1ca7522e7a6acb0f7c
7f36b64bcb98513b7b6d02f71e4093938d598a534aafd6d212165f5cb5941e60
2bb879595ffe859f4a822bea116f56fd60e7fb1b515b79bbeacf8e035ea0551d
c45da1531e880623db4fe70966467340c06684f8a158261356a03d71940f7112
b33710748d6656a3e2874da6fe3c8cee77b9af94d7b4bf60e9f2931fb31b84b0
1bf49a4ea5a112dd6a7c8776bb3957b317b573474184aff11f9b0dfaa2f12140
093bcd29f628a39b09866d757dedbad9eab21e02aa724019e55d327e388adbc7
60f0fab734f17ed1b408a8901ad3dd0783df919529d870695a8809e990a46708
2f136f4c0f51f34e0bf277a6ec0a2de354a8d9f3c047654ce60334cde4a8a06d
270c58e50f5cb9a48b3ac7cc8be9b01dbee72973cfc4bad7db654b32b2ca5e86
efb2df436eeb0dee8fbc1f8bc459b5cc0359517aaf5625c00a3ef8f4ba510e32
d3f653cff653d396836cc6956253dedd2dcf2d376ddc130ca1432d0ed5f0a3ad
46c9a6c81d90f2055e1af5bc853053c9154d353b88db9aeed33ceeaae20f106d
d8bba70bf92223817ebb0aa5411d12da7e665d6ddba9d3a4ecbf3ae83946134d
2b285ddce849d65e55997210f8a334d5e415852cb9741b9aabedb14fa3dc976d
f101217119247d1ddd30264900c83836ec3e2d87376e5f4708363f01ab506b39
7921b8b3f75dd87bb3bc280b02f51e455c7763c603825960ce4e6c521878ccc5
b9381a3fe7374fd6c6d18dbbce3abddd9a3e9e55ec0960118d406ca922d7da42
2baa825ed26be9acdaeccec4764e42fc9c9ab9783328f5a4a9775e14d87c86f3
21ade69513806a04738a58f6467e22741348a0007264ec0ae775b17f7c8b4019
60223dfbc3b2467bd6dd97db1d2ec35a8f485ce6cb821e23aa0aad607a09e937
fc83c760f8c6d9ec4363b102fdcf7f919350ea97c8027039981d836f448d8537
4f541640c124377d0af55b0ec6c052092d646ced1b1a727b4a76fab0298b7496
494ae514fb5f91eced8337abf3c695130be2b5a90c4efa12eb23bac4c786da22
4a69c42a4fcb5ed84020ddd83c7cec8f3d558e371654b565905fec3dbdf53890
afd770e99ac4b5482ff74142cf2c343f23070a44f8520328284bdffda7ffdb34
b0e1bc1fd5bbfd4ee9a1a50a9c6c183f0d000b7611f4e508ea96cfc7838bf3dc
c89b0b656f58aa5983fd7e46b40451e0d878ed4f03d0aa7f7308a808ccd0e697
ccba2abc3caf947fa264d2a5648daeaf575ace5bc9ee6bab030e929304a6a460
9bca17096709fec177897f364087a44dcb92f459eb228c3c9df88f08077f3d16
65b4e535e31f7b0d2ed3a42afd3fcee1f0e827159dc426fc69d44d67df489490
0241d21ead5a46247b57b0f13bf4f066fa8d50e5e2a66544f91964e185aabf15
bf1bdbd6f5f8c68e1dae0ed99e2aa16f55bd178a69f3ee97f977a95729c103db
c2e67a4ca3d9424abf1336059fafd41c45e5d295d159783c0d788d69904293c7
b683607df14ae608daf23153c5714922fc1ccf1bd2f298ac7647e98eb59cc2cf
31e4b157fb6b017d98c64b27da73b1a0d1e2cdc3ce3357abfb15eac4c259fe6d
fd3cc76c7b8cbd1f9fc2d8e46a235afd30f8f8230fe5f954fd3028ce42ec5e0d
29328b17f95d3c887c6b108eb19b0cfd692610ad1f044563ca9c4f59bcdc9536
492cc2c300f638ad3fe78b1645d608979c0b4d074135b584382208e906257107
b3996ba20300e0082946da46a12e4e3201ac55d017368b40e0c3dbcd5dd2a01d
6f740b148b4f4e51e2c10bad25d0e201b6a61a5651837683b4ddd4121523622c
ee45961be814e8dd8fc52ab41e7b1d751144fb28fc0bf6d69c021b5b8111aac7
18e67607a2c5e440399e04366f619e7ae1ddf4c37f83f515bc08802c1cf89dfa
a9b9cc10ed9a080760185fb10ad4737d60af919843bb4d7045717e01bf5ccc41
7fdd9b14beb4e866ceecc7016b66d3fd10cc51cbf952cfd47cfb02cf7880e47e
2cbbbe05a1f2b4becf65d96e86d809fe49447da6b1998d701e532c3e21f87002
340e69e9a2b332648ff805f6a95c30e003a4cda1222a4e92795096039d6064a3
3ab3d972c510be796abae6b6c5ab1b552f19fda631f79c6081aee9fd6dd127b6
85c8f4b5d23641020f309dd170cc81253a1d7fc00c327769ecd76b74e34a3e64
980eb8faa438b6a1d00a8719a5b07a6bceb521409f94f0ed52fbe90900e2c078
dddd655ec30014575469db9f2f0eb4a4f5422a72de859bb1b368b31fe8797fe0
92043070bedbcc2d37a984035e096b625519fa9c38a07f909d1a20c18dcc29ce
14a926b03605fb84853363b3afa55501a50f18d487d4bf235891d9cbfbfc7d57
467a02a1202060e2f58953d52b678bb73015df74be322afa3d345423e99ab468
7426df2e27fa6fe145db2c5bb86b7087b48736d10c939851d76eced8b4e161e8
639422a0a5c587f42c53f0b839e1866b5588342171e4cd9c90fade7ae3d34fed
78fd8b2d722fe74cf6082262949653f13a093470a9f8b71bd75f7190b28da5af
3ee45812c4be92609c369ba859587fa8b9500064f747b263f5969c9fa75a8b88
3382f0653966e0a01d021219b963663b82eaa919aaffde48bb2c1fec93753b5f
9de5b29ca8c02269ee1b35206e9b3f9366e51b618d218c6c17316c08f3c55d90
d677cec639fbbf84698494a8719e2ec0eadbf8eb666519cf1f53395db8896769
c5bb5b37f2e43323b5a9bdb1bfcc742e1b42e6858de2bdc1bc9c4f92dc546e68
944c395014a12324fee8c62ebcf19d2d5fd693e8b60ac09eaec327adc5f41914
SH256 hash:
387575473058c7241ac8c132e42be4a3a8c2320daea44140722c482e021364c7
MD5 hash:
0ead3eb3351e9a4c28276d5c7d3c179d
SHA1 hash:
d80998ceb016d01c27240ee72e849c7fbd3cc4c6
Link:
https://www.unpac.me/results/a0fb50c6-1e06-405c-b359-3584385f9f40/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/387575473058/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/387575473058c7241ac8c132e42be4a3a8c2320daea44140722c482e021364c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/339154/
  
URLhaus
https://urlhaus.abuse.ch/url/2432963/

Comments