MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b
SHA3-384 hash: 17118a32e58c07b9924f9b80f54cae7ab485f2372deca23393644c2ef232662471f2080c48710ff5e364f136a61b325e
SHA1 hash: 0379a493153871773ac7bcf6b072b65e89623948
MD5 hash: d405f5cfa352b7bc7fc151c189e691a3
humanhash: alpha-nuts-eleven-romeo
File name:setup.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'904'128 bytes
First seen:2024-06-20 13:35:46 UTC
Last seen:2024-06-20 14:24:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:OV4oHOo7HGKVW57+gHEZCrm6fiYKTlqblN:OKvCGKE57+pCrm6fiHqJ
TLSH T1FF9533B4EF6388FEEA64FE394B9A45698F241A49619D27225B304BB3F5C7FD304D2110
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Chainskilabs
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
346
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b.exe
Verdict:
Malicious activity
Analysis date:
2024-06-20 13:36:24 UTC
Tags:
amadey botnet stealer themida loader redline meta metastealer lumma
Link:
https://app.any.run/tasks/637ea523-3326-4caa-9e42-28d36a45100a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.11037.9106.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6674311a0f8138dd4eb1c08bwin7simulatehigh_evasion
Tags:
Banker Stealth Crypt Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/667430426be3b3c7c23430e7/reports/b6a2107e-1454-4d7e-b9e2-2e99844b8c46/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/01ea571d-bbb6-4850-9f8f-bfa39cb4c3ab
Result
Threat name:
Python Stealer, Amadey, Monster Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460136
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected generic credential text file
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected XWorm
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1460136 Sample: setup.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 Antivirus detection for URL or domain 2->162 164 20 other signatures 2->164 11 setup.exe 5 2->11         started        15 axplong.exe 2->15         started        17 svchost.exe 2->17         started        20 Hkbsse.exe 2->20         started        process3 dnsIp4 114 C:\Users\user\AppData\Local\...\axplong.exe, PE32 11->114 dropped 116 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 11->116 dropped 218 Detected unpacking (changes PE section rights) 11->218 220 Tries to evade debugger and weak emulator (self modifying code) 11->220 222 Tries to detect virtualization through RDTSC time measurements 11->222 224 Potentially malicious time measurement code found 11->224 22 axplong.exe 46 11->22         started        226 Hides threads from debuggers 15->226 228 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->228 230 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->230 136 184.28.90.27 AKAMAI-ASUS United States 17->136 file5 signatures6 process7 dnsIp8 140 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 22->140 142 185.172.128.116 NADYMSS-ASRU Russian Federation 22->142 92 C:\Users\user\...\quickaccesspopup.exe, PE32+ 22->92 dropped 94 C:\Users\user\AppData\Local\Temp\...\legs.exe, PE32 22->94 dropped 96 C:\Users\user\AppData\Local\...\monster.exe, PE32+ 22->96 dropped 98 19 other malicious files 22->98 dropped 188 Antivirus detection for dropped file 22->188 190 Multi AV Scanner detection for dropped file 22->190 192 Detected unpacking (changes PE section rights) 22->192 194 7 other signatures 22->194 27 judit.exe 47 22->27         started        31 monster.exe 22->31         started        33 upd.exe 22->33         started        35 7 other processes 22->35 file9 signatures10 process11 dnsIp12 118 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 27->118 dropped 120 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 27->120 dropped 122 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 27->122 dropped 130 32 other files (31 malicious) 27->130 dropped 232 Multi AV Scanner detection for dropped file 27->232 234 Machine Learning detection for dropped file 27->234 236 Found many strings related to Crypto-Wallets (likely being stolen) 27->236 238 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->238 38 stub.exe 29 27->38         started        124 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 31->124 dropped 126 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 31->126 dropped 128 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 31->128 dropped 132 32 other files (31 malicious) 31->132 dropped 240 Writes to foreign memory regions 33->240 242 Allocates memory in foreign processes 33->242 244 Injects a PE file into a foreign processes 33->244 43 RegAsm.exe 33->43         started        45 RegAsm.exe 33->45         started        138 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 35->138 134 2 other malicious files 35->134 dropped 246 Antivirus detection for dropped file 35->246 248 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 35->248 47 da_protected.exe 35->47         started        49 MSBuild.exe 35->49         started        51 RegAsm.exe 35->51         started        53 2 other processes 35->53 file13 signatures14 process15 dnsIp16 144 208.95.112.1 TUT-ASUS United States 38->144 146 185.199.109.133 FASTLYUS Netherlands 38->146 154 2 other IPs or domains 38->154 100 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 38->100 dropped 102 C:\Users\user\AppData\...\system_info.txt, Algol 38->102 dropped 104 C:\Users\user\AppData\...\process_info.txt, ASCII 38->104 dropped 112 3 other malicious files 38->112 dropped 196 Multi AV Scanner detection for dropped file 38->196 198 Tries to harvest and steal browser information (history, passwords, etc) 38->198 200 Modifies the windows firewall 38->200 214 5 other signatures 38->214 55 cmd.exe 38->55         started        58 cmd.exe 38->58         started        60 cmd.exe 38->60         started        69 9 other processes 38->69 106 C:\Users\user\AppData\Roaming\...\svhoost.exe, PE32 43->106 dropped 108 C:\Users\user\AppData\Roaming\...\One.exe, PE32 43->108 dropped 62 svhoost.exe 43->62         started        65 One.exe 43->65         started        202 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->202 148 195.2.71.70 VDSINA-ASRU Russian Federation 47->148 110 C:\Users\user\AppData\Local\Temp\oryefy.exe, PE32+ 47->110 dropped 204 Detected unpacking (changes PE section rights) 47->204 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->206 208 Query firmware table information (likely to detect VMs) 47->208 216 4 other signatures 47->216 150 104.21.91.177 CLOUDFLARENETUS United States 49->150 210 Tries to harvest and steal ftp login credentials 49->210 212 Tries to steal Crypto Currency Wallets 49->212 152 4.185.27.237 LEVEL3US United States 51->152 67 conhost.exe 53->67         started        file17 signatures18 process19 dnsIp20 166 Uses netsh to modify the Windows network and firewall settings 55->166 168 Tries to harvest and steal WLAN passwords 55->168 170 Uses attrib.exe to hide files 55->170 71 conhost.exe 55->71         started        74 systeminfo.exe 58->74         started        76 net.exe 58->76         started        86 3 other processes 58->86 78 WMIC.exe 60->78         started        80 conhost.exe 60->80         started        156 185.172.128.33 NADYMSS-ASRU Russian Federation 62->156 172 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->172 174 Installs new ROOT certificates 62->174 176 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 62->176 178 Tries to steal Crypto Currency Wallets 62->178 82 conhost.exe 65->82         started        84 powershell.exe 69->84         started        88 16 other processes 69->88 signatures21 process22 signatures23 180 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 71->180 182 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 74->182 90 net1.exe 76->90         started        184 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 78->184 186 Installs new ROOT certificates 84->186 process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-20 13:36:04 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ho4zfmkrtkb63glsl3uhmb7yotdvkqydxglz6xurmunb6n4i5enq._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:monster family:redline family:xworm botnet:e76b71 botnet:newbild evasion execution infostealer rat spyware stealer themida trojan
Link:
https://tria.ge/reports/240620-qv8atavbjp/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect Xworm Payload
Detects Monster Stealer.
Modifies Windows Defender Real-time Protection settings
Monster
RedLine
RedLine payload
Windows security bypass
Xworm
Malware Config
C2 Extraction:
http://77.91.77.81
185.215.113.67:40960
195.2.71.70:7050
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2d1bc848-54fd-460c-9005-75cbba729ef3
Unpacked files
SH256 hash:
393686ded063e51c75ce0c69290babc71a5c3c1ce9150dc601fbb7e040e0fe62
MD5 hash:
23dba17fb4eb088764356b107bd54bf1
SHA1 hash:
e27827824479876274a342d7a79ed3143cbd995e
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/cd0b29eb-610d-49e1-9f13-7fb99a442a1d/
SH256 hash:
3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b
MD5 hash:
d405f5cfa352b7bc7fc151c189e691a3
SHA1 hash:
0379a493153871773ac7bcf6b072b65e89623948
Link:
https://www.unpac.me/results/cd0b29eb-610d-49e1-9f13-7fb99a442a1d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bb992b1519a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2874927/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888751/
  
URLhaus
https://urlhaus.abuse.ch/url/2888729/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments