MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bf5525f7e9536da0a0cf982fad11dc70c315868de1f3fe90c3bd38c0595bf20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bf5525f7e9536da0a0cf982fad11dc70c315868de1f3fe90c3bd38c0595bf20
SHA3-384 hash: 2386287f0e91f6c612ee9faefdebdd4097f75903fd06754992bed5ad0796750106b3e47e56f29344656e7e12e3d8b1fb
SHA1 hash: c48364bc381f70f0aa936700c024d6eb034107cf
MD5 hash: e35cab492708456c94ad9ee0beb35544
humanhash: shade-mirror-bravo-island
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:7'942'144 bytes
First seen:2023-08-24 17:19:09 UTC
Last seen:2023-08-30 00:06:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 46afc61b34fb8e20ac7399f0df86ba31 (4 x PrivateLoader, 2 x RiseProStealer, 1 x Amadey)
ssdeep 196608:gjF5UGBB3FYugDKNVXNtxey54nnIUtA7z0/:4UGBB3gKNhNbH40o
Threatray 2'818 similar samples on MalwareBazaar
TLSH T13A8612A18B88E6BCD4821578A40112F371C15C9BD6FAE44227C77C1275A2FFF356A7E2
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 719d8d7173f17317 (3 x PrivateLoader, 2 x RedLineStealer, 2 x Amadey)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc44017378_668355890?hash=OEXurxHv742cAEINPwUZWBvCkIvq2mo3gMKCk9mNEZz&dl=FcEr7W2vNSUK3rRVQ2uwXb1BnszbBNaV1N06orQc1Os&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
US US
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-08-24 17:21:49 UTC
Tags:
privateloader evasion loader stealer arkei vidar amadey trojan kelihos smoke miner
Link:
https://app.any.run/tasks/8ae9d853-6e91-4ced-8e17-d4f97d41475e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444579/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.877.17705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying a system file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Replacing files
Launching a service
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Forced system process termination
Using the Windows Management Instrumentation requests
Creating a window
Searching for synchronization primitives
Running batch commands
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Stealing user critical data
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed scar shell32
Link:
https://www.filescan.io/uploads/64e791459489ac1ead3f7c1b/reports/e29a9492-2b52-472b-9d46-e8dd070c9349/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/3bf5525f7e9536da0a0cf982fad11dc70c315868de1f3fe90c3bd38c0595bf20
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/089bebae-fada-4820-af27-2f9819fd167c
Result
Threat name:
Amadey, Glupteba, PrivateLoader, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296892
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files with benign system names
Found C&C like URL pattern
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected PrivateLoader
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1296892 Sample: file.exe Startdate: 24/08/2023 Architecture: WINDOWS Score: 100 136 taibi.at 2->136 176 Snort IDS alert for network traffic 2->176 178 Found malware configuration 2->178 180 Malicious sample detected (through community Yara rule) 2->180 182 23 other signatures 2->182 11 file.exe 10 27 2->11         started        16 cmd.exe 2->16         started        18 powershell.exe 19 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 148 45.15.156.229, 49709, 49732, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 11->148 150 45.9.74.80, 49721, 49722, 80 FIRST-SERVER-EU-ASRU Russian Federation 11->150 152 7 other IPs or domains 11->152 126 C:\Users\...\yiaVAzv2SUPGDbTId05wkWPc.exe, PE32 11->126 dropped 128 C:\Users\...\hvNFRAT4BKWsiRqyH0nmuuuL.exe, PE32+ 11->128 dropped 130 C:\Users\...\LGyz0mer8OMhw1vUEsR89JZz.exe, PE32 11->130 dropped 132 2 other malicious files 11->132 dropped 236 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->236 238 May check the online IP address of the machine 11->238 240 Creates HTML files with .exe extension (expired dropper behavior) 11->240 246 4 other signatures 11->246 22 LGyz0mer8OMhw1vUEsR89JZz.exe 6 11->22         started        26 hvNFRAT4BKWsiRqyH0nmuuuL.exe 1 11->26         started        28 yiaVAzv2SUPGDbTId05wkWPc.exe 18 11->28         started        242 Uses powercfg.exe to modify the power settings 16->242 244 Modifies power options to not sleep / hibernate 16->244 31 conhost.exe 16->31         started        33 sc.exe 16->33         started        35 sc.exe 16->35         started        39 3 other processes 16->39 37 conhost.exe 18->37         started        file6 signatures7 process8 dnsIp9 112 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 22->112 dropped 114 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 22->114 dropped 116 C:\Users\user\AppData\Local\...\a2644a17.exe, PE32 22->116 dropped 118 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 22->118 dropped 202 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->202 41 a2644a17.exe 22->41         started        44 newplayer.exe 22->44         started        47 31839b57a4f11171d6abc8bbc4451ee4.exe 22->47         started        49 toolspub2.exe 22->49         started        120 C:\Users\user\AppData\...\tdoaznvsxlum.tmp, PE32+ 26->120 dropped 122 C:\Windows\System32\drivers\etc\hosts, ASCII 26->122 dropped 204 Suspicious powershell command line found 26->204 206 Found many strings related to Crypto-Wallets (likely being stolen) 26->206 208 Writes to foreign memory regions 26->208 216 4 other signatures 26->216 154 t.me 149.154.167.99, 443, 49733 TELEGRAMRU United Kingdom 28->154 156 116.203.5.218, 10099, 49734 HETZNER-ASDE Germany 28->156 210 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->210 212 Tries to harvest and steal browser information (history, passwords, etc) 28->212 214 Tries to steal Crypto Currency Wallets 28->214 file10 signatures11 process12 file13 218 Detected unpacking (changes PE section rights) 41->218 220 Machine Learning detection for dropped file 41->220 222 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->222 234 3 other signatures 41->234 51 explorer.exe 41->51 injected 134 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 44->134 dropped 224 Antivirus detection for dropped file 44->224 226 Multi AV Scanner detection for dropped file 44->226 56 oneetx.exe 44->56         started        228 Detected unpacking (overwrites its own PE header) 47->228 230 Drops PE files with benign system names 47->230 58 31839b57a4f11171d6abc8bbc4451ee4.exe 47->58         started        60 powershell.exe 47->60         started        232 Injects a PE file into a foreign processes 49->232 62 toolspub2.exe 49->62         started        signatures14 process15 dnsIp16 138 189.232.25.209 UninetSAdeCVMX Mexico 51->138 140 shsplatform.co.uk 80.66.203.53 UKFASTGB United Kingdom 51->140 144 4 other IPs or domains 51->144 100 C:\Users\user\AppData\Roaming\eweewvw, PE32 51->100 dropped 102 C:\Users\user\AppData\Local\Temp\D3.exe, PE32 51->102 dropped 104 C:\Users\user\AppData\Local\Temp\4720.exe, PE32 51->104 dropped 184 System process connects to network (likely due to code injection or exploit) 51->184 186 Benign windows process drops PE files 51->186 188 Suspicious powershell command line found 51->188 190 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->190 64 dialer.exe 51->64         started        67 cmd.exe 51->67         started        69 powershell.exe 51->69         started        142 79.137.192.18 PSKSET-ASRU Russian Federation 56->142 106 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 56->106 dropped 108 C:\Users\user\AppData\...\latestX[1].exe, PE32+ 56->108 dropped 192 Antivirus detection for dropped file 56->192 194 Multi AV Scanner detection for dropped file 56->194 196 Creates an undocumented autostart registry key 56->196 200 2 other signatures 56->200 72 latestX.exe 56->72         started        75 cmd.exe 56->75         started        77 schtasks.exe 56->77         started        110 C:\Windows\rss\csrss.exe, PE32 58->110 dropped 198 Creates an autostart registry key pointing to binary in C:\Windows 58->198 79 conhost.exe 60->79         started        file17 signatures18 process19 dnsIp20 158 Injects code into the Windows Explorer (explorer.exe) 64->158 160 Writes to foreign memory regions 64->160 162 Allocates memory in foreign processes 64->162 170 2 other signatures 64->170 81 lsass.exe 64->81 injected 94 7 other processes 64->94 164 Modifies power options to not sleep / hibernate 67->164 96 5 other processes 67->96 146 192.168.2.1 unknown unknown 69->146 84 conhost.exe 69->84         started        124 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 72->124 dropped 166 Multi AV Scanner detection for dropped file 72->166 168 Detected unpacking (creates a PE file in dynamic memory) 72->168 86 conhost.exe 75->86         started        88 cmd.exe 75->88         started        90 cacls.exe 75->90         started        98 4 other processes 75->98 92 conhost.exe 77->92         started        file21 signatures22 process23 signatures24 172 Injects code into the Windows Explorer (explorer.exe) 81->172 174 Writes to foreign memory regions 81->174
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bf5525f7e9536da0a0cf982fad11dc70c315868de1f3fe90c3bd38c0595bf20/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-24 17:20:41 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hp2vex36su3nucqm7gbpvui5y4gdcwdi3ypt72imhpjyybmvx4qa._file
Verdict:
malicious
Similar samples:
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
Amadey
0bc3689575acffde20abb2ff8db97b9698b07fc0e2f64a04ef10dea26fe64d87
Amadey
3995ed61d4b3901bfacb5a8d36500664c1145c6287f8eba5f0077ef1b780355c
Amadey
76e0a05722db609c2d5fc63f43fd52e093404f10f14722aa7f44fb967d2f153c
Amadey
81d2aa64b3f784fc0dab7694d106bedbd193786ab47dd064c0c5a8714d3fcaff
Amadey
8a2e061b3b38dff83f62982a6b0087e5c4ea1c47192bf0ac2f8f67397636b164
Amadey
902ad7ccf2e68e3240a3b9f8c41b09e2acc650db69a0593e7c17d04ce0ad0e2b
Amadey
bb1aa29dca7c55add0bd5e53c735645b5cd0d5ab5105fd412026fa2c69e06191
Amadey
c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485
Amadey
+ 2'808 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:privateloader family:smokeloader family:vidar botnet:5451f7426913690bc3da17f9c17ac7c3 botnet:pub5 botnet:up3 backdoor dropper evasion loader spyware stealer trojan
Link:
https://tria.ge/reports/230824-vwegcaeb79/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Looks up external IP address via web service
Modifies boot configuration data using bcdedit
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
Glupteba
Glupteba payload
PrivateLoader
SmokeLoader
Vidar
Malware Config
C2 Extraction:
https://t.me/buukcay
https://steamcommunity.com/profiles/76561199544211655
45.9.74.80/0bjdn2Z/index.php
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
3bf5525f7e9536da0a0cf982fad11dc70c315868de1f3fe90c3bd38c0595bf20
MD5 hash:
e35cab492708456c94ad9ee0beb35544
SHA1 hash:
c48364bc381f70f0aa936700c024d6eb034107cf
Link:
https://www.unpac.me/results/016fe63f-5fef-4d36-a1a5-171d4bde7391/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bf5525f7e95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bf5525f7e9536da0a0cf982fad11dc70c315868de1f3fe90c3bd38c0595bf20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/444579/

Comments