MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366
SHA3-384 hash: 16a489ba372f9e3904c0f17931afe8e28a6a74dab4acd13d5988427a31f1a9a5b2441baf7428287f464c68dbd60595c7
SHA1 hash: 81f2ecd89774c56e0cc9cdb9dfe273df76dfefa7
MD5 hash: b7668e16e00cfa7aab4fd5833311a9d3
humanhash: tennis-fix-music-berlin
File name:explorhe.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:809'472 bytes
First seen:2024-01-20 18:46:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7515ecf8c0dfa4d230ad835fe0acb57f (18 x Amadey, 4 x RedLineStealer, 2 x RiseProStealer)
ssdeep 12288:r9SJ++jmIFElFpRqH1YWGn1Io7YNQZDzdYD/jGW/nSkxgsDggauUPnIpm68fuvQR:r0g9/nREmWGn/wQFRHW/nSkx4dk4qo
TLSH T11E0533BC43A4B240C664E7FE664A16E8FE6C3A0B11D40A17395FAF610174FDEE716893
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter smica83
Tags:Amadey exe HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe
Verdict:
Malicious activity
Analysis date:
2024-01-20 18:49:29 UTC
Tags:
amadey botnet stealer redline loader stealc fabookie risepro evasion
Link:
https://app.any.run/tasks/0e4f437e-80e5-4802-8e8b-27e99e1193b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/471888/
Detection(s):
PUA.Win.Packer.EnigmaProtector-5
Create hunting rule

PUA.Win.Packer.EnigmaProtector-12
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Win.Trojan.Scar-6903585-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Connecting to a non-recommended domain
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
enigma lolbin obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/65ac14f02593e1cd0bab1f9d/reports/f426a7b4-666d-438b-ba2c-befe77b991f2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06390a41-3568-43e8-8542-e357a39f08dd
Result
Threat name:
LummaC, Amadey, Fabookie, Glupteba, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378035
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Fabookie
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1378035 Sample: explorhe.exe Startdate: 20/01/2024 Architecture: WINDOWS Score: 100 186 Multi AV Scanner detection for domain / URL 2->186 188 Found malware configuration 2->188 190 Malicious sample detected (through community Yara rule) 2->190 192 17 other signatures 2->192 11 explorhe.exe 1 5 2->11         started        15 jsc.exe 2->15         started        18 svchost.exe 2->18         started        20 2 other processes 2->20 process3 dnsIp4 104 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 11->104 dropped 212 Detected unpacking (changes PE section rights) 11->212 214 Hides threads from debuggers 11->214 216 Contains functionality to detect sleep reduction / modifications 11->216 22 explorhe.exe 1 56 11->22         started        162 185.172.128.33 NADYMSS-ASRU Russian Federation 15->162 218 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->218 220 Found many strings related to Crypto-Wallets (likely being stolen) 15->220 222 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->222 224 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->224 27 WerFault.exe 18->27         started        29 WerFault.exe 18->29         started        file5 signatures6 process7 dnsIp8 138 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 22->138 140 185.240.248.84 RACKFIBERPT Portugal 22->140 142 2 other IPs or domains 22->142 96 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 22->96 dropped 98 C:\Users\user\AppData\Local\...\zonak.exe, PE32 22->98 dropped 100 C:\Users\user\AppData\Local\...\flesh.exe, PE32 22->100 dropped 102 25 other malicious files 22->102 dropped 204 Multi AV Scanner detection for dropped file 22->204 206 Detected unpacking (changes PE section rights) 22->206 208 Creates an undocumented autostart registry key 22->208 210 5 other signatures 22->210 31 latestrocki.exe 22->31         started        35 data.exe 22->35         started        37 crypted.exe 1 22->37         started        41 9 other processes 22->41 39 Conhost.exe 27->39         started        file9 signatures10 process11 dnsIp12 118 C:\Users\user\AppData\Local\...\toolspub1.exe, PE32 31->118 dropped 120 C:\Users\user\AppData\Local\Temp\rty25.exe, PE32+ 31->120 dropped 122 C:\Users\user\AppData\...\InstallSetup7.exe, PE32 31->122 dropped 124 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 31->124 dropped 164 Multi AV Scanner detection for dropped file 31->164 44 InstallSetup7.exe 31->44         started        49 toolspub1.exe 31->49         started        51 31839b57a4f11171d6abc8bbc4451ee4.exe 31->51         started        53 rty25.exe 31->53         started        126 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 35->126 dropped 166 Found many strings related to Crypto-Wallets (likely being stolen) 35->166 168 Sample uses process hollowing technique 35->168 170 LummaC encrypted strings found 35->170 55 MSBuild.exe 35->55         started        61 2 other processes 35->61 172 Writes to foreign memory regions 37->172 174 Allocates memory in foreign processes 37->174 176 Injects a PE file into a foreign processes 37->176 57 RegAsm.exe 8 4 37->57         started        144 80.79.4.61 SISTEMEMD Moldova Republic of 41->144 146 195.20.16.103 EITADAT-ASFI Finland 41->146 128 C:\Users\user\ZVAqvUdwMBqrSNq.pdf, PE32 41->128 dropped 130 C:\Users\user\OyZQWfDdESIZLNS.pdf, PE32 41->130 dropped 132 C:\Users\user\AppData\...\ms_updater.exe, PE32 41->132 dropped 134 C:\Users\user\AppData\Roaming\ms_tool.exe, PE32 41->134 dropped 178 System process connects to network (likely due to code injection or exploit) 41->178 180 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->180 182 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->182 184 3 other signatures 41->184 59 RegAsm.exe 41->59         started        63 3 other processes 41->63 file13 signatures14 process15 dnsIp16 156 2 other IPs or domains 44->156 106 C:\Users\user\AppData\Local\...\nsvC79A.tmp, PE32 44->106 dropped 108 C:\Users\user\AppData\Local\...\INetC.dll, PE32 44->108 dropped 110 C:\Users\user\AppData\...\BroomSetup.exe, PE32 44->110 dropped 112 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 44->112 dropped 226 Multi AV Scanner detection for dropped file 44->226 65 nsvC79A.tmp 44->65         started        70 BroomSetup.exe 44->70         started        228 Detected unpacking (changes PE section rights) 49->228 230 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->230 232 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 49->232 234 Checks if the current machine is a virtual machine (disk enumeration) 49->234 72 WerFault.exe 49->72         started        236 Detected unpacking (overwrites its own PE header) 51->236 238 Found Tor onion address 51->238 74 powershell.exe 51->74         started        148 154.92.15.189 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 53->148 114 C:\Users\...\242fb453e3ea3e5366213b0bdcdf4f88, SQLite 53->114 dropped 158 2 other IPs or domains 55->158 240 Query firmware table information (likely to detect VMs) 55->240 242 Tries to harvest and steal browser information (history, passwords, etc) 55->242 244 Tries to steal Crypto Currency Wallets 55->244 150 20.79.30.95 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->150 246 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->246 248 Found many strings related to Crypto-Wallets (likely being stolen) 57->248 250 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 57->250 152 144.76.1.85 HETZNER-ASDE Germany 59->152 116 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 59->116 dropped 76 qemu-ga.exe 59->76         started        154 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 61->154 160 2 other IPs or domains 63->160 file17 signatures18 process19 dnsIp20 136 185.172.128.79 NADYMSS-ASRU Russian Federation 65->136 88 C:\Users\user\AppData\...\softokn3[1].dll, PE32 65->88 dropped 90 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 65->90 dropped 92 C:\Users\user\AppData\...\mozglue[1].dll, PE32 65->92 dropped 94 9 other files (1 malicious) 65->94 dropped 194 Multi AV Scanner detection for dropped file 65->194 196 Detected unpacking (changes PE section rights) 65->196 198 Detected unpacking (overwrites its own PE header) 65->198 202 4 other signatures 65->202 78 cmd.exe 70->78         started        80 conhost.exe 74->80         started        200 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 76->200 file21 signatures22 process23 process24 82 conhost.exe 78->82         started        84 chcp.com 78->84         started        86 schtasks.exe 78->86         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366/
Threat name:
Win32.Trojan.Blacked
Create hunting rule
Status:
Malicious
First seen:
2024-01-19 23:15:52 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfknnkrpl7pwf7m64ugar24fusr67rzzh56j56jqxq4nvrflonta._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:glupteba family:redline family:smokeloader family:stealc family:xmrig family:zgrat botnet:2024 botnet:@pixelscloud botnet:@rlreborn cloud tg: @fatherofcarders) botnet:legaa botnet:livetraffic botnet:pub1 backdoor discovery dropper evasion infostealer loader miner persistence rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/240120-xend2afba6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
XMRig Miner payload
Amadey
Detect Fabookie payload
Detect ZGRat V1
Fabookie
Glupteba
Glupteba payload
RedLine
RedLine payload
SmokeLoader
Stealc
ZGRat
xmrig
Malware Config
C2 Extraction:
http://185.215.113.68
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://185.172.128.79
http://app.alie3ksgaa.com/check/safe
20.79.30.95:33223
94.156.65.198:13781
185.172.128.33:38294
195.20.16.103:20440
141.95.211.148:46011
Unpacked files
SH256 hash:
3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366
MD5 hash:
b7668e16e00cfa7aab4fd5833311a9d3
SHA1 hash:
81f2ecd89774c56e0cc9cdb9dfe273df76dfefa7
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/ff7169cb-add5-46bc-8b82-ddb985fef677/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3954d6aa2f5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector1XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2749106/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471888/

Comments