MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
SHA3-384 hash: 6f240da0a61b7f6b6dfff755b6ee76a68cce353dca51d1952d9516a36d0298b02e4b122d642e2d8591205a8ee313c15d
SHA1 hash: 2c11da3a3989e6970508e8b1db1913c9cd9c9e4d
MD5 hash: 57127333600b753c8c5f51a1c01552fc
humanhash: minnesota-august-burger-nebraska
File name:3D41425DAA1E1844BE0539723042DC532A640E5BA9EF9.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:7'223'384 bytes
First seen:2022-01-27 16:55:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:ypYBEd44TZvaMtnxSJys3vx4c2QuLN/NyJaoyNq3ID+UY7gfUIR6KaoFFfS1P91:ypYBy4kXtnI3i/LBcJbyw3IYzPPF1
TLSH T1B5763340A2D8E114CCF10ABE4979E3E4A3968726DEE98F14970AF61DB719517FC3DA03
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
65.108.101.231:4974

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.101.231:4974 https://threatfox.abuse.ch/ioc/351941/
5.149.255.205:40800 https://threatfox.abuse.ch/ioc/351942/

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-18 11:45:27 UTC
Tags:
trojan rat redline evasion stealer loader vidar banker dridex
Link:
https://app.any.run/tasks/5431d553-14b6-4ac1-b656-ebc884fc5d93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/224524/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9895020-1
Create hunting rule

Win.Packed.Socelars-9895021-1
Create hunting rule

Win.Packed.Socelars-9897110-1
Create hunting rule

Win.Packed.Socelars-9898166-1
Create hunting rule

Win.Packed.Jaik-9899450-0
Create hunting rule

Win.Packed.Socelars-9901378-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5362/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f2ceb2c4bcf3287a61b7dd/reports/f61589fc-4f7c-4dc3-8351-dc73eb592e0e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39ec24a7-23c2-45a3-8e1f-80d61b7ae0db
Result
Threat name:
RedLine Socelars Vidar onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/929190
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 13:33:22 UTC
File Type:
PE (Exe)
Extracted files:
171
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvauexnkdymejpqfhfzdaqw4kmvgids3vhxzzxij4iqxnslabgfq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars botnet:ani botnet:pab123 aspackv2 evasion infostealer loader spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220127-vfqjnsgff5/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger Payload
Modifies Windows Defender Real-time Protection settings
OnlyLogger
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
45.142.215.47:27643
45.14.49.169:22411
Unpacked files
SH256 hash:
588626e5e2d07844f2b59eb51dce36bc8f6c123ceff817813bf4c31aebdd1bf5
MD5 hash:
8ecea1e237042ecd057de60e97b89e7a
SHA1 hash:
fb1a226b3c324c49d88ac6a6726f90641dc93977
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
0fd897b1e74f50e47526f974bf4906ecbe4a331b1ae4e2ec309fbee57a032586
MD5 hash:
4c3423a6e5e3337c71c551358f1334c1
SHA1 hash:
e3f59c4781ab6b19adb9eb85054a060b34c3df73
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
c02d2c9ae0b587f9b7631c443ce5a7d6d409c0a5d09ff6b389ca1330d44a1149
MD5 hash:
a91a81780273bb279790c1fbb6fb3105
SHA1 hash:
4bedae163300009aac8afa2c2b42ea6c184ca9dd
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
6b11cbd5ba5a4ffab9235be5c9da2e7547f8e6e889a94b08a1e2cc9627479730
MD5 hash:
bf7dc5c322195c13fba97b023349bca8
SHA1 hash:
e2e2a8d3ad472ee144c68d6c727496cad3777a40
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
9533ebf386e63683beeba81104a020d614cb2b5ee65e35b5f1577e9602af65e0
MD5 hash:
6ffbe8a27e2a5673730891b0ebbc71d3
SHA1 hash:
ba9d274a662c1ed1ad09d857f5d5b7c7d1c88479
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
3d9c0eaf27a276c0b5cba2dad756464373305919a9104e8ae1d2d8695db322aa
MD5 hash:
9f7907b2d11893cf73dcc6c180b70f87
SHA1 hash:
b5fe225b618257ec8a8e4a31b2888a6e8d4475bf
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
eb4e615410a4e76d5ae404b894a828a9d33b157b167a8d312441b48f3b57eba0
MD5 hash:
afdd8fa82943dfe1a32f7c234465cac0
SHA1 hash:
af1a5078abfbeb7a3c93fbb7c0af1807928fc368
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
33e74d3b85986ea95762cc157e89d7b6bded7786c7c607f2948a8d4adb2d0680
MD5 hash:
880ff6993f9653d806b2390529a439b3
SHA1 hash:
ab1ac25cecff8674751a43115411cbff0a4f5e68
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
c44028e540fb84c52a01d9717d70d7aab82b927239316d94719f8801a72dcff9
MD5 hash:
45fb20bbfb13de048daab3bd9687607d
SHA1 hash:
7b96426bc508f1602cc72b871a5af4c5575fb2ef
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
5c89b8b796f3d875fd8a7372179e3a3c1154091fcfc8cddae9ada7617d45d544
MD5 hash:
9e9e7cb7bb6a20535a01924b2bad5de9
SHA1 hash:
75286557dff669c59c3f13cb111abae024235755
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
f16c460b844d6114aee4961094291045c4b9cfdf25c6575decb511a289506b3b
MD5 hash:
930f38509cd379f982b40167d20b4fdf
SHA1 hash:
59cb6d7d7b46229c791e1f27bf36159082f6b2ac
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
0d470a1320c5a4c141c5aa465a73e4ef8ea51315bd466663f66ec3eef961700d
MD5 hash:
1864318fa6785a3410c6a2cdcdc5cd49
SHA1 hash:
5158695bebd5e4e8d4c3baabc40b6341ffcf778b
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
d85efe4d5ec3ee174413354ee3c6186b1fdaaea3974d162f01dac4c3351d9b8a
MD5 hash:
75a0cc2b5c81a721c8901bdb1fc36629
SHA1 hash:
39a0b6b02c79e9d596e76635904a6caae45eb5a0
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
79249202eec021c6d6c3f5732a55c635f501725ac61e20d27cce48adf109fdfd
MD5 hash:
75b02651b3d608848c0104c7e1adc038
SHA1 hash:
6337f93871c3480d06bfa76ccd3495b754781eed
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
c52935a1104db22bf1987fd897a3792e7d9b137da0d6ac0557445bc05ad04ae7
MD5 hash:
033d9d5addce8fab6dcfbb51a82a7976
SHA1 hash:
a793d08e0f4c786616522efccd86f2f126484688
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
1df2b59d16f614887331393594b2089f7721d8aa3916cd676a9fac690e073a52
MD5 hash:
914c1a56d34dce2dcd84b77bcf473da5
SHA1 hash:
a60892dcc8fec3b040b5f79d39583b5603f8ba2f
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
95d633a952d0c9c5092d3fa5dab706f27ef0e0cabcf1810d14db134b3fc49d25
MD5 hash:
ffe0b812c4f1f8967dea534ee35b9c61
SHA1 hash:
2f7e3b297922d4bc3f6d1554d82b40009c1e3092
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
767412e78b2d4023ba7fb78f11cadd90e46e9177159fd0237a07890b04a58cd7
MD5 hash:
8ba7e0b17e4a3be0012f6cdc5c3e0a5c
SHA1 hash:
4046dde24f279aab6111840ab21e4d5f79841938
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
060493f2db34a175389c13023aaaf037548857c9e8a2df206e8933272f209341
MD5 hash:
dfec6640cb39b0af3f9e08d3926df434
SHA1 hash:
f36efe510a9b21b87230e2bc6cd5a3e4d0723021
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
SH256 hash:
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
MD5 hash:
57127333600b753c8c5f51a1c01552fc
SHA1 hash:
2c11da3a3989e6970508e8b1db1913c9cd9c9e4d
Link:
https://www.unpac.me/results/388e6969-098c-49d5-a12d-3952533c3701/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3d41425daa1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/224524/

Comments