MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b8969a65abd19e563c67dc03afd4bc64042c305f273c27be1516e2b36f9aa74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b8969a65abd19e563c67dc03afd4bc64042c305f273c27be1516e2b36f9aa74
SHA3-384 hash: 3b84749b5a612139c5f2ac7174b9f55f77c94a24de4e141355621a658256f1e7b135153880611cd1854156d09eb89d3f
SHA1 hash: 4b64dbd485e96064a4db9cf8e601712a030f13f8
MD5 hash: 9e8804197db860205d7424c6a9505065
humanhash: iowa-gee-yankee-two
File name:3b8969a65abd19e563c67dc03afd4bc64042c305f273c.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:347'136 bytes
First seen:2022-07-19 09:30:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9923dd7e7c2f584bdf6e95cc5c2f9d7f (5 x RedLineStealer, 2 x AZORult, 1 x Amadey)
ssdeep 6144:Skt3hDf1s1I8iba1In3uahRV9zZxnsH6p1KmgqbvUwZEo:13DfSC88SIn3uad9zZxa21KFMEo
Threatray 382 similar samples on MalwareBazaar
TLSH T1CA74AE00BB90D435E4B716F8497593A8A52D7EE19B2451CF22D92AEE973C2E1FC3131B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 2dac1370399b9b91 (45 x RedLineStealer, 35 x Smoke Loader, 19 x Amadey)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://cloudreactions.xyz/g93kdm3SaQ/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cloudreactions.xyz/g93kdm3SaQ/index.php https://threatfox.abuse.ch/ioc/838649/
http://guideanceers.com/g93kdm3SaQ/index.php https://threatfox.abuse.ch/ioc/838650/

Intelligence

File Origin
# of uploads :
1
# of downloads :
737
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291819/
Detection(s):
Win.Malware.Pwsx-9956611-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a file
DNS request
Sending an HTTP POST request
Delayed reading of the file
Searching for the window
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26720/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62d67a18ef2b0e63a825aad8/reports/f37d959b-29b1-47e8-9922-fd11eee6784a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bd228fa-81e4-4af5-b23a-e68fe8fb4e42
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036402
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668892 Sample: 3b8969a65abd19e563c67dc03af... Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for dropped file 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 5 other signatures 2->68 8 3b8969a65abd19e563c67dc03afd4bc64042c305f273c.exe 4 2->8         started        12 processert.exe 2->12         started        15 bguuwe.exe 2->15         started        17 7 other processes 2->17 process3 dnsIp4 44 C:\Users\user\AppData\Local\...\bguuwe.exe, PE32 8->44 dropped 46 C:\Users\user\...\bguuwe.exe:Zone.Identifier, ASCII 8->46 dropped 78 Detected unpacking (changes PE section rights) 8->78 80 Detected unpacking (overwrites its own PE header) 8->80 82 Contains functionality to inject code into remote processes 8->82 19 bguuwe.exe 2 25 8->19         started        60 162.159.130.233 CLOUDFLARENETUS United States 12->60 file5 signatures6 process7 dnsIp8 48 81.19.135.247 IVC-ASRU Russian Federation 19->48 50 179.43.154.181 PLI-ASCH Panama 19->50 52 8.8.8.8 GOOGLEUS United States 19->52 36 C:\Users\user\AppData\Roaming\...\cred.dll, PE32 19->36 dropped 38 C:\Users\user\AppData\Local\...\wdupdate.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 19->40 dropped 42 4 other files (1 malicious) 19->42 dropped 70 Multi AV Scanner detection for dropped file 19->70 72 Detected unpacking (changes PE section rights) 19->72 74 Detected unpacking (overwrites its own PE header) 19->74 76 4 other signatures 19->76 24 rundll32.exe 19->24         started        28 wdupdate.exe 19->28         started        30 processert.exe 14 2 19->30         started        32 3 other processes 19->32 file9 signatures10 process11 dnsIp12 54 192.168.2.3 unknown unknown 24->54 84 System process connects to network (likely due to code injection or exploit) 24->84 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->86 88 Tries to steal Instant Messenger accounts or passwords 24->88 98 2 other signatures 24->98 90 Multi AV Scanner detection for dropped file 28->90 92 Detected unpacking (changes PE section rights) 28->92 94 Detected unpacking (overwrites its own PE header) 28->94 96 Machine Learning detection for dropped file 28->96 56 162.159.134.233 CLOUDFLARENETUS United States 30->56 58 192.168.2.1 unknown unknown 30->58 34 conhost.exe 32->34         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b8969a65abd19e563c67dc03afd4bc64042c305f273c27be1516e2b36f9aa74/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 09:31:07 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hoewtjs2xum6ky6gpxadv7klyzaefqyf6jz4e67bkfxcwnxzvj2a._file
Verdict:
malicious
Similar samples:
12163d07dc538469b9ca2d265f091feb10e3aaaa0b9565e5a8813ac8fabe94e0
Amadey
13ad0224d5f05dec29bb9ef7142c429e666525265fd33de68685abc6844a6b6c
Amadey
2630352d83d4f1045cc4db7ac7b978ee04590df043b5bad6da563106ee64ffbf
Amadey
4ee7d3af341c5908a63d4675be5fd3b1cfb2185827ad54f936a474908bafa0a9
Amadey
522b4e5ba6ce6a7303354740106bbc35bf641346f09bacb5e215e37818cc56a1
Amadey
875269cba0d717c29317564f708525dee36154ec1884ab41c17285ddff910094
Amadey
9833edafc450a7d9fd1d66bb91e1e20b2d202569a5272b036d29a1d74570b76c
Amadey
abbf182f0973c3b988241626f82c82ab2d75e6f5f05bde00138074d9579b7645
Amadey
f0ec9da984c79f4fdd540d22d157d1944129f18e79b0439cc028048812207970
Amadey
+ 372 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220719-lg2hwsbaf9/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
04642be2eaaa62c770ec0b9f78a034d01922009c2749ef3b69d33ac6d5629ac3
MD5 hash:
3595c193b25439b14b56ccbba1b5abba
SHA1 hash:
51f2f8a50ba324246aeb71eb3bf1395dd8968f40
Link:
https://www.unpac.me/results/8b093623-397d-47a1-9cc2-f18900369e42/
SH256 hash:
3b8969a65abd19e563c67dc03afd4bc64042c305f273c27be1516e2b36f9aa74
MD5 hash:
9e8804197db860205d7424c6a9505065
SHA1 hash:
4b64dbd485e96064a4db9cf8e601712a030f13f8
Link:
https://www.unpac.me/results/8b093623-397d-47a1-9cc2-f18900369e42/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b8969a65abd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b8969a65abd19e563c67dc03afd4bc64042c305f273c27be1516e2b36f9aa74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3b8969a65abd19e563c67dc03afd4bc64042c305f273c27be1516e2b36f9aa74

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/291819/
  
URLhaus
https://urlhaus.abuse.ch/url/2259002/
  
Delivery method
Distributed via web download

Comments