MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d9ebf871e9ada91551158af5078da769ca8bea4014afcd75472deb0d4beb538. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	3d9ebf871e9ada91551158af5078da769ca8bea4014afcd75472deb0d4beb538
SHA3-384 hash:	b9990946310b813f35682733ce5726e0e10d59f389b51b235a47fff0858af91617bd4d179abd729bcfada314d273540a
SHA1 hash:	ea4a3b275a6abaf48d84a026382986274defb352
MD5 hash:	1e14a74052051f97b5b31ee8d5e92a32
humanhash:	glucose-earth-foxtrot-pip
File name:	1e14a74052051f97b5b31ee8d5e92a32.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	298'496 bytes
First seen:	2021-12-24 16:16:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2c115f58478a1d1f54657d2f0cdd12f3 (1 x Amadey)
ssdeep	6144:/J2b85U8DWamzCvGoPJm2MKMdZG3959iz:BCnSvuoPJm2MKM+395o
Threatray	6'205 similar samples on MalwareBazaar
TLSH	T1F9548F00BB90D435F1B722F94CB993A9753EBDE16B2491CB62D42AEE96356D0EC30317
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
45.9.20.85:5112

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.85:5112	https://threatfox.abuse.ch/ioc/285357/

Intelligence

File Origin

# of uploads :

# of downloads :

453

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1e14a74052051f97b5b31ee8d5e92a32.exe

Verdict:

Suspicious activity

Analysis date:

2021-12-24 16:19:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cc990f99-5e0e-4872-a31e-00dc120e3a45

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/216198/

Detection(s):

Win.Packed.Ulise-9917518-0

Win.Malware.Generic-9917519-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Searching for synchronization primitives

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Sending an HTTP GET request

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Moving a file to the Windows subdirectory

Launching a process

Launching the process to change the firewall settings

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3105/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61c5f281ec6c6c14a9ef893f/reports/f7b187fb-bad0-451c-a630-92feb7881673/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2d337f2-c2f7-425f-a0bd-add0368a6ef6

Result

Threat name:

Amadey RedLine SmokeLoader Tofsee Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/912503

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Copying Sensitive Files with Credential Data

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Amadey bot

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Tofsee

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d9ebf871e9ada91551158af5078da769ca8bea4014afcd75472deb0d4beb538/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2021-12-24 16:17:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hwpl7by6tlnjcvirlcxva6g2o2okrpveaffpzv2uolplbvf6wu4a._file

Verdict:

malicious

Amadey

6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

Amadey

8b9e05937557c312981409e1107aa75b580f170138d0a7abf3cfaa93dd9113aa

Amadey

be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881

Amadey

c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94

Amadey

d2b72372d1f6ff858237a0804714acfb2afa47ad2c2530a749ba738d2e0cf416

Amadey

ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0

Amadey

fbb99570b341367a86c2c23b56862bfb3d3ea91c06e7c15750f7d36bf82f494b

Amadey

+ 6'195 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:amadey family:arkei family:neshta family:raccoon family:redline family:smokeloader family:tofsee family:vidar botnet:1 botnet:10da56e7e71e97bdc1f36eb76813bbc3231de7e4 backdoor collection discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/211224-trclhsefd3/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies registry class

Modifies registry key

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Arkei Stealer Payload

Amadey

Arkei

Detect Neshta Payload

Modifies system executable filetype association

Neshta

Raccoon

RedLine

RedLine Payload

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Tofsee

Vidar

Windows security bypass

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
mubrikych.top
oxxyfix.xyz
86.107.197.138:38133
185.215.113.35/d2VxjasuwS/index.php
2.56.56.210/notAnoob/index.php