MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
SHA3-384 hash: c77bb3b44da189a581fb1fcc49ee0718f7d382c93706ee6c1332332a66e3e56cec707f9225f2cacfcab7737654d3a428
SHA1 hash: f38c3041926f329dac459bacce67850dc58ab15a
MD5 hash: 20fe52f3ba934b9b7454c194f44d74d0
humanhash: queen-kansas-wolfram-grey
File name:setup.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'890'304 bytes
First seen:2024-06-20 13:36:54 UTC
Last seen:2024-06-20 14:24:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:1/JK2aIjA7qco3fFT9eSzR160c8LE8x+dyh9tfzHEBZ/QJc0erHIuoDaFtTNihZi:VlfA7kvFJRPpAC+UdTmtQCtouortLka
TLSH T1C195335A9E474DF5C047263187788CED5B24EF0419CE88AD6FD96AF3F2131D42530AAE
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Chainskilabs
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
399
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603.exe
Verdict:
Malicious activity
Analysis date:
2024-06-20 13:39:18 UTC
Tags:
amadey botnet stealer loader themida risepro evasion
Link:
https://app.any.run/tasks/e9a4cb36-93cf-44d4-ae0b-638219572136

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.28450.25832.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6674320e89a056395101a4afwin7simulatehigh_evasion
Tags:
Banker Stealth Crypt Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6674307f910ec47e855b07ca/reports/63dbad36-568c-46f8-b410-7e51ebad8364/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ba930168-e538-4d63-8d8d-186566b8d155
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460137
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460137 Sample: setup.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 75 ipinfo.io 2->75 77 db-ip.com 2->77 101 Snort IDS alert for network traffic 2->101 103 Found malware configuration 2->103 105 Antivirus detection for dropped file 2->105 107 11 other signatures 2->107 10 setup.exe 5 2->10         started        14 RageMP131.exe 2->14         started        16 RageMP131.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 file5 71 C:\Users\user\AppData\Local\...\explortu.exe, PE32 10->71 dropped 73 C:\Users\...\explortu.exe:Zone.Identifier, ASCII 10->73 dropped 145 Detected unpacking (changes PE section rights) 10->145 147 Tries to evade debugger and weak emulator (self modifying code) 10->147 149 Tries to detect virtualization through RDTSC time measurements 10->149 20 explortu.exe 1 23 10->20         started        151 Machine Learning detection for dropped file 14->151 153 Found stalling execution ending in API Sleep call 14->153 155 Hides threads from debuggers 14->155 157 Tries to steal Mail credentials (via file / registry access) 16->157 159 Found many strings related to Crypto-Wallets (likely being stolen) 16->159 161 Tries to harvest and steal browser information (history, passwords, etc) 16->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->163 165 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->165 signatures6 process7 dnsIp8 85 147.45.47.155, 49705, 49707, 49709 FREE-NET-ASFREEnetEU Russian Federation 20->85 87 77.91.77.81, 49706, 49708, 49710 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 20->87 57 C:\Users\user\AppData\...\8bcaec3fef.exe, PE32 20->57 dropped 59 C:\Users\user\AppData\...\eaa97795e9.exe, PE32 20->59 dropped 61 C:\Users\user\AppData\Local\...\sarra[1].exe, PE32 20->61 dropped 63 4 other malicious files 20->63 dropped 117 Antivirus detection for dropped file 20->117 119 Multi AV Scanner detection for dropped file 20->119 121 Detected unpacking (changes PE section rights) 20->121 123 7 other signatures 20->123 25 b6042db502.exe 4 20->25         started        29 eaa97795e9.exe 1 7 20->29         started        32 8bcaec3fef.exe 1 20->32         started        34 explortu.exe 20->34         started        file9 signatures10 process11 dnsIp12 65 C:\Users\user\AppData\Local\...\axplong.exe, PE32 25->65 dropped 125 Antivirus detection for dropped file 25->125 127 Detected unpacking (changes PE section rights) 25->127 129 Machine Learning detection for dropped file 25->129 143 2 other signatures 25->143 36 axplong.exe 12 25->36         started        95 77.91.77.66, 49726, 49749, 49750 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 29->95 97 ipinfo.io 34.117.186.192, 443, 49796, 49808 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 29->97 99 db-ip.com 104.26.5.15, 443, 49798, 49812 CLOUDFLARENETUS United States 29->99 67 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 29->67 dropped 69 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 29->69 dropped 131 Creates multiple autostart registry keys 29->131 133 Uses schtasks.exe or at.exe to add and modify task schedules 29->133 135 Tries to evade debugger and weak emulator (self modifying code) 29->135 39 schtasks.exe 29->39         started        41 schtasks.exe 29->41         started        137 Binary is likely a compiled AutoIt script file 32->137 139 Hides threads from debuggers 32->139 141 Potentially malicious time measurement code found 32->141 43 chrome.exe 32->43         started        file13 signatures14 process15 dnsIp16 109 Antivirus detection for dropped file 36->109 111 Detected unpacking (changes PE section rights) 36->111 113 Machine Learning detection for dropped file 36->113 115 4 other signatures 36->115 46 conhost.exe 39->46         started        48 conhost.exe 41->48         started        89 192.168.2.5, 443, 49703, 49705 unknown unknown 43->89 91 192.168.2.4 unknown unknown 43->91 93 2 other IPs or domains 43->93 50 chrome.exe 43->50         started        53 chrome.exe 43->53         started        55 chrome.exe 43->55         started        signatures17 process18 dnsIp19 79 www.google.com 142.250.184.228, 443, 49753 GOOGLEUS United States 50->79 81 play.google.com 142.250.186.110, 443, 49780, 49788 GOOGLEUS United States 50->81 83 5 other IPs or domains 50->83
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-20 13:37:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxfjw5ganov24si255sjlisw23jgurjzzxdibnsoutqnv3u46ybq._file
Verdict:
malicious
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:exelastealer family:lumma family:monster family:redline family:risepro botnet:0e6740 botnet:@logscloudyt_bot botnet:e76b71 botnet:livetraffic botnet:newbild defense_evasion discovery evasion execution infostealer persistence privilege_escalation spyware stealer themida trojan
Link:
https://tria.ge/reports/240620-qwsxhszgjg/
Behaviour
Collects information from the system
Enumerates processes with tasklist
Enumerates system info in registry
Gathers network information
Gathers system information
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Program crash
Embeds OpenSSL
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Hide Artifacts: Hidden Files and Directories
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detects Monster Stealer.
Exela Stealer
Lumma Stealer
Monster
RedLine
RedLine payload
RisePro
Malware Config
C2 Extraction:
http://147.45.47.155
77.91.77.66:58709
http://77.91.77.81
185.215.113.67:40960
185.172.128.33:8970
4.185.27.237:13528
https://parallelmercywksoffw.shop/api
https://willingyhollowsk.shop/api
https://liabiliytshareodlkv.shop/api
https://distincttangyflippan.shop/api
https://notoriousdcellkw.shop/api
https://macabrecondfucews.shop/api
https://conferencefreckewl.shop/api
https://greentastellesqwm.shop/api
https://flourhishdiscovrw.shop/api
https://stickyyummyskiwffe.shop/api
https://landdumpycolorwskfw.shop/api
https://sturdyregularrmsnhw.shop/api
https://barebrilliancedkoso.shop/api
https://lamentablegapingkwaq.shop/api
https://innerverdanytiresw.shop/api
https://standingcomperewhitwo.shop/api
https://accumulationeyerwos.shop/api
https://publicitycharetew.shop/api
https://computerexcudesp.shop/api
https://leafcalfconflcitw.shop/api
https://injurypiggyoewirog.shop/api
https://bargainnygroandjwk.shop/api
https://disappointcredisotw.shop/api
https://doughtdrillyksow.shop/api
https://facilitycoursedw.shop/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f4c1837-f169-43cc-8f60-a9b183de2ca4
Unpacked files
SH256 hash:
e70c9a1b3682225493a611ab452bcb9152b18cc38c831f6965c2f728a8b6b4da
MD5 hash:
a4396579e13ff7e47ab88cf6d6b3676b
SHA1 hash:
8629ff769440119c57f7d4f3baa5ccdcef850fd7
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/c17c7410-f9ae-42cb-b6ad-ef814fb37f27/
SH256 hash:
3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
MD5 hash:
20fe52f3ba934b9b7454c194f44d74d0
SHA1 hash:
f38c3041926f329dac459bacce67850dc58ab15a
Link:
https://www.unpac.me/results/c17c7410-f9ae-42cb-b6ad-ef814fb37f27/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3dca9b74c06b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2888851/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments