MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
SHA3-384 hash: c4ff3be07c01bf449ee349a5d869b1c2eabfbf47fc265e93b954712df91a1d2571ffc8fa39d3bedfd2fa2949c63d9dc7
SHA1 hash: dd5f45524e0a73c36f7e429943e87864c90914c7
MD5 hash: c9aa05e75a369370955cf71b12a2121a
humanhash: utah-papa-delaware-arkansas
File name:c9aa05e75a369370955cf71b12a2121a
Download: download sample
Signature Amadey
Create hunting rule
File size:1'646'592 bytes
First seen:2023-10-27 06:30:05 UTC
Last seen:2023-10-27 08:41:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:6dczsM3Cfptr89p7vyCuWk1s0BClDKBcPME5OLi:wWsM3Cfptr8z+CuWk1PBClDKBcBwLi
Threatray 297 similar samples on MalwareBazaar
TLSH T1D675AD499F4ADA13CE100271D197C6F72A49DE8F9707A3335BEDBDB330873885698299
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
Verdict:
Malicious activity
Analysis date:
2023-10-27 04:51:18 UTC
Tags:
amadey botnet stealer sinkhole loader
Link:
https://app.any.run/tasks/5442fd41-9dfd-4b76-bef2-249bf328dd79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456653/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.20996.2449.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP POST request
Delayed reading of the file
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Adding an access-denied ACE
Reading critical registry keys
Launching the process to change network settings
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/653b5926a6fa5eab93684b60/reports/d8157373-5e69-4f27-983d-e6ed9eb03221/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c60c5dbc-8256-4892-abfa-9d89aabe0f44
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333115
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333115 Sample: qc5vHvnBaF.exe Startdate: 27/10/2023 Architecture: WINDOWS Score: 100 103 Multi AV Scanner detection for domain / URL 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 12 other signatures 2->109 10 qc5vHvnBaF.exe 3 2->10         started        13 Utsysc.exe 2->13         started        15 Utsysc.exe 2->15         started        17 3 other processes 2->17 process3 signatures4 123 Contains functionality to inject code into remote processes 10->123 125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->125 127 Injects a PE file into a foreign processes 10->127 19 qc5vHvnBaF.exe 4 10->19         started        22 Utsysc.exe 13->22         started        37 3 other processes 13->37 24 Utsysc.exe 15->24         started        26 Utsysc.exe 15->26         started        28 chrome.exe 17->28         started        31 chrome.exe 17->31         started        33 Utsysc.exe 17->33         started        35 Utsysc.exe 17->35         started        process5 dnsIp6 85 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 19->85 dropped 39 Utsysc.exe 3 19->39         started        42 svchost.exe 19->42         started        99 192.168.2.4, 443, 49736, 49737 unknown unknown 28->99 101 239.255.255.250 unknown Reserved 28->101 45 chrome.exe 28->45         started        47 chrome.exe 31->47         started        file7 process8 dnsIp9 113 Antivirus detection for dropped file 39->113 115 Multi AV Scanner detection for dropped file 39->115 117 Machine Learning detection for dropped file 39->117 119 2 other signatures 39->119 49 Utsysc.exe 22 39->49         started        54 Utsysc.exe 39->54         started        91 127.0.0.1 unknown unknown 42->91 93 microsoftmscompoc.tt.omtrdc.net 45->93 95 mdec.nelreports.net 45->95 97 22 other IPs or domains 45->97 signatures10 process11 dnsIp12 87 185.196.8.176, 49736, 49737, 49739 SIMPLECARRER2IT Switzerland 49->87 89 89.208.104.64, 49738, 80 PSKSET-ASRU Russian Federation 49->89 77 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 49->77 dropped 79 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 49->79 dropped 81 C:\Users\user\AppData\Roaming\...\amers.exe, PE32+ 49->81 dropped 83 3 other malicious files 49->83 dropped 111 Creates an undocumented autostart registry key 49->111 56 rundll32.exe 49->56         started        59 cmd.exe 1 49->59         started        61 schtasks.exe 1 49->61         started        63 rundll32.exe 49->63         started        file13 signatures14 process15 signatures16 121 System process connects to network (likely due to code injection or exploit) 56->121 65 conhost.exe 59->65         started        67 cmd.exe 1 59->67         started        69 cacls.exe 1 59->69         started        75 4 other processes 59->75 71 conhost.exe 61->71         started        73 rundll32.exe 63->73         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-27 04:43:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjnn35h67cpts7q2xzumhzdalyj7dlx3ecwhu4c6srg54tgnlofa._file
Verdict:
malicious
Similar samples:
1ecf4a80641db7366f049cd1a60eb75d36eb68578d5e71e4e72d2474aa9be7bc
Amadey
2ad246c95f79a3f21623a89e7de935f8ec7e42c6875a15b30e219a465f4e4907
Amadey
6b5793f22a86e4b8793594df8c214feaad09cf964c913adc9f9a5e89a197442a
Amadey
6fc7189791af4f2f113700770fc02ccde3e34cdbb2d886ce7e9699a27ddac970
Amadey
a726ad80960cf547e9154a39a704a48b98079786d896c5544044a7c3044d5a18
Amadey
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
Amadey
b983faf575bfae3a6a10bcfde6fe7e7ecc0716ae285723e01876fe48faeb100f
Amadey
+ 287 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan
Link:
https://tria.ge/reports/231027-g92bdacf7x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
Unpacked files
SH256 hash:
48697832dcf78763aabd712cd19209d89917dbfda1feab2dab3dc411fbd9dcb8
MD5 hash:
faf212ebb45b81b646368c1979f61bf2
SHA1 hash:
c5c3081f0b46f3ffba229fd3aa97a498b982893e
Link:
https://www.unpac.me/results/9bb0008a-9602-4282-b9d2-947266e49684/
SH256 hash:
a5e0218047ec48c7807a33dd44030ec70c1c3fddccb8412f1f46f04c627f5c14
MD5 hash:
0a131d1c2e7d67d7abfd8a029a420424
SHA1 hash:
25b5624d574febae43e8031f6d379f16259e6dfd
Link:
https://www.unpac.me/results/9bb0008a-9602-4282-b9d2-947266e49684/
SH256 hash:
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
MD5 hash:
b6d627dcf04d04889b1f01a14ec12405
SHA1 hash:
f7292c3d6f2003947cc5455b41df5f8fbd14df14
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/9bb0008a-9602-4282-b9d2-947266e49684/
Parent samples :
3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1
SH256 hash:
d412e41d4cf9c6dc15e9076f8a4182f8150cf59e277a19e38e0985194cac0542
MD5 hash:
de57becce1f62676e489810d4f573ad0
SHA1 hash:
c10b3b7a6e6f1b0efe53db8c245207cd824e8b17
Link:
https://www.unpac.me/results/9bb0008a-9602-4282-b9d2-947266e49684/
SH256 hash:
3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
MD5 hash:
c9aa05e75a369370955cf71b12a2121a
SHA1 hash:
dd5f45524e0a73c36f7e429943e87864c90914c7
Link:
https://www.unpac.me/results/9bb0008a-9602-4282-b9d2-947266e49684/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Amadey
Create hunting rule
Author:ditekSHen
Description:Amadey downloader payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Amadey_7abb059b
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726167/
Cape
Cape
https://www.capesandbox.com/analysis/456653/

Comments


Avatar
zbet commented on 2023-10-27 06:30:06 UTC

url : hxxp://89.208.104.64/cleanupdate.exe