MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170
SHA3-384 hash: 04dc76007cef85c29b41c68e2bbc5235cf13da67df2f990addf8ff0d454e4710cc34ad73e1097ba9be0fdd12574dba44
SHA1 hash: 55644fc57ec194c6d91bafca5e71dbb6af10872c
MD5 hash: 47251c024e627999fc355cb16de2c9ff
humanhash: uranus-arizona-louisiana-alpha
File name:47251c024e627999fc355cb16de2c9ff.ps1
Download: download sample
Signature Amadey
Create hunting rule
File size:699'616 bytes
First seen:2025-01-20 13:32:41 UTC
Last seen:2025-01-31 07:55:28 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:TLKvV0FLCrMYyybI+iUH5G0MX2VpfWRAwp3SNZ6jm7NPv:3KiKIs1fpfo3SCjeNPv
TLSH T145E47C398107BDBE3B2E3E8C94083D851C986EE35718D658FBC8A576B299680DD7C4F4
Magika powershell
Reporter abuse_ch
Tags:92-255-57-155 92-255-85-34 Amadey booking ps1

Intelligence

File Origin
# of uploads :
3
# of downloads :
224
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678e515fe708b6e7a3adaa1f
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex evasive net obfuscated
Link:
https://www.filescan.io/uploads/678e50903603120b9f2cbafb/reports/58b4ef9a-8f2a-4d55-8c12-5b9ca72064a0/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170
Result
Verdict:
UNKNOWN
Result
Threat name:
PureCrypter, Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1595154
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected PureCrypter Trojan
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1595154 Sample: qOH6oNqqoi.ps1 Startdate: 20/01/2025 Architecture: WINDOWS Score: 100 88 youtube-ui.l.google.com 2->88 90 xx.bstatic.com 2->90 92 93 other IPs or domains 2->92 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Multi AV Scanner detection for submitted file 2->122 124 10 other signatures 2->124 14 powershell.exe 21 2->14         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 148 Contains functionality to start a terminal service 14->148 150 Found many strings related to Crypto-Wallets (likely being stolen) 14->150 152 Writes to foreign memory regions 14->152 154 Injects a PE file into a foreign processes 14->154 20 RegSvcs.exe 18 14->20         started        25 conhost.exe 14->25         started        86 127.0.0.1 unknown unknown 17->86 signatures6 process7 dnsIp8 106 92.255.85.34, 49704, 49705, 49706 SOVTEL-ASRU Russian Federation 20->106 108 92.255.57.155, 49731, 49866, 80 TELSPRU Russian Federation 20->108 110 dyna.wikimedia.org 20->110 76 C:\Users\user\AppData\Local\Temp\...\34.ps1, ASCII 20->76 dropped 126 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 20->126 128 Contains functionality to start a terminal service 20->128 130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->130 132 3 other signatures 20->132 27 powershell.exe 17 20->27         started        file9 signatures10 process11 signatures12 140 Writes to foreign memory regions 27->140 142 Injects a PE file into a foreign processes 27->142 30 RegSvcs.exe 1 2 27->30         started        33 conhost.exe 27->33         started        35 RegSvcs.exe 27->35         started        process13 signatures14 156 Found many strings related to Crypto-Wallets (likely being stolen) 30->156 158 Writes to foreign memory regions 30->158 160 Tries to harvest and steal Bitcoin Wallet information 30->160 162 2 other signatures 30->162 37 cvtres.exe 3 812 30->37         started        process15 file16 78 C:\Users\user\AppData\...\webappsstore.sqlite, SQLite 37->78 dropped 80 C:\Users\user\AppData\Roaming\...\times.json, JSON 37->80 dropped 82 C:\Users\user\...\targeting.snapshot.json, JSON 37->82 dropped 84 75 other malicious files 37->84 dropped 134 Overwrites Mozilla Firefox settings 37->134 136 Tries to harvest and steal browser information (history, passwords, etc) 37->136 41 firefox.exe 37->41         started        43 explorer.exe 37->43         started        46 chrome.exe 37->46         started        49 chrome.exe 37->49         started        signatures17 process18 dnsIp19 51 firefox.exe 41->51         started        144 Query firmware table information (likely to detect VMs) 43->144 146 Monitors registry run keys for changes 43->146 112 192.168.2.8, 443, 49703, 49704 unknown unknown 46->112 114 239.255.255.250 unknown Reserved 46->114 116 2 other IPs or domains 46->116 55 chrome.exe 46->55         started        signatures20 process21 dnsIp22 94 142.250.185.228 GOOGLEUS United States 51->94 96 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 51->96 102 9 other IPs or domains 51->102 72 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 51->72 dropped 74 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 51->74 dropped 57 pingsender.exe 51->57         started        60 pingsender.exe 51->60         started        62 pingsender.exe 51->62         started        64 3 other processes 51->64 98 www.google.com 142.250.184.228, 443, 50065, 50068 GOOGLEUS United States 55->98 100 play.google.com 142.250.186.142, 443, 50087, 50091 GOOGLEUS United States 55->100 104 2 other IPs or domains 55->104 file23 process24 signatures25 138 Tries to harvest and steal browser information (history, passwords, etc) 57->138 66 conhost.exe 57->66         started        68 conhost.exe 60->68         started        70 conhost.exe 62->70         started        process26
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170/
Threat name:
Script-PowerShell.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-01-20 01:00:36 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkeftdag5uwuszjjilfcenxpg546ahj367mya3dnix3e2hfkkfya._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:350fc2 discovery execution trojan
Link:
https://tria.ge/reports/250120-qthnrs1php/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Amadey
Amadey family
Malware Config
C2 Extraction:
http://92.255.85.34
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

PowerShell (PS) ps1 3a88598c06ed2d49652942ca2236ef3779e01d3bf7d9806c6d45f64d1caa5170

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3332611/
  
Delivery method
Distributed via web download

Comments