MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e
SHA3-384 hash: ac2656187dee21305f0025eb5cd02c0618f7bc2c32bf9a5d9ccfc0d90cc3b40d8fc08163280ac8409e90a264af350cd5
SHA1 hash: 20300a63f6c8ccce917110e53bd8d4f1a49407fc
MD5 hash: a0de5117f2db3409eeb42464b5c2e811
humanhash: maryland-sixteen-xray-quiet
File name:a0de5117f2db3409eeb42464b5c2e811
Download: download sample
Signature Amadey
Create hunting rule
File size:3'102'720 bytes
First seen:2024-04-18 21:37:58 UTC
Last seen:2024-04-18 22:38:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:hrS87rJwyCOjzzXkKkuVVofoPEiNOlpRV1or6/mM4:hrv7CdOjzz0KkuYfoPbNWnLor6+M
TLSH T100E53B91B80676DFD48E27789837CD42B95D46BA0F1048C3D868F4BABE67EC115BBC24
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
386
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e.exe
Verdict:
Malicious activity
Analysis date:
2024-04-18 21:41:13 UTC
Tags:
amadey botnet stealer loader risepro
Link:
https://app.any.run/tasks/6ed59b98-a241-4bdf-b96d-0ba6b773deff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Reading critical registry keys
Launching the process to change network settings
Connection attempt to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive fingerprint packed
Link:
https://www.filescan.io/uploads/662192bd75339da04f964b31/reports/3cea9306-56d7-4147-87b8-a2a89849a96a/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/84339a86-dd42-4bbf-aeb6-3f5cfcd7674a
Result
Threat name:
Amadey, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1428439
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428439 Sample: UeW2b6mU6Z.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 119 play.google.com 2->119 121 ipinfo.io 2->121 123 db-ip.com 2->123 167 Snort IDS alert for network traffic 2->167 169 Found malware configuration 2->169 171 Antivirus detection for URL or domain 2->171 173 16 other signatures 2->173 10 explorha.exe 2 32 2->10         started        15 UeW2b6mU6Z.exe 5 2->15         started        17 chrosha.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 141 193.233.132.167, 49739, 49744, 49746 FREE-NET-ASFREEnetEU Russian Federation 10->141 143 193.233.132.56, 49737, 49738, 49740 FREE-NET-ASFREEnetEU Russian Federation 10->143 101 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->101 dropped 103 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->103 dropped 105 C:\Users\user\AppData\...\590971cd60.exe, PE32 10->105 dropped 115 8 other malicious files 10->115 dropped 205 Creates multiple autostart registry keys 10->205 227 3 other signatures 10->227 21 590971cd60.exe 10->21         started        26 amert.exe 10->26         started        28 rundll32.exe 10->28         started        38 3 other processes 10->38 107 C:\Users\user\AppData\Local\...\explorha.exe, PE32 15->107 dropped 207 Detected unpacking (changes PE section rights) 15->207 209 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->209 211 Tries to evade debugger and weak emulator (self modifying code) 15->211 229 2 other signatures 15->229 30 explorha.exe 15->30         started        109 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 17->109 dropped 111 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 17->111 dropped 117 2 other malicious files 17->117 dropped 213 Antivirus detection for dropped file 17->213 215 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->215 217 Machine Learning detection for dropped file 17->217 32 rundll32.exe 17->32         started        34 rundll32.exe 17->34         started        145 127.0.0.1 unknown unknown 19->145 113 C:\Users\user\...\4JKZLoG_AJreMfNRzAg0gnZ.zip, Zip 19->113 dropped 219 Binary is likely a compiled AutoIt script file 19->219 221 Tries to steal Mail credentials (via file / registry access) 19->221 223 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 19->223 225 Tries to harvest and steal browser information (history, passwords, etc) 19->225 36 chrome.exe 19->36         started        40 2 other processes 19->40 file6 signatures7 process8 dnsIp9 125 147.45.47.93, 49799, 58709 FREE-NET-ASFREEnetEU Russian Federation 21->125 127 ipinfo.io 34.117.186.192, 443, 49802 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->127 129 db-ip.com 104.26.5.15, 443, 49804 CLOUDFLARENETUS United States 21->129 93 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 21->93 dropped 95 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 21->95 dropped 97 C:\Users\user\...\aMLtP386CmzygUXw7MGrDsU.zip, Zip 21->97 dropped 179 Detected unpacking (changes PE section rights) 21->179 181 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->181 183 Tries to steal Mail credentials (via file / registry access) 21->183 201 3 other signatures 21->201 42 schtasks.exe 21->42         started        44 schtasks.exe 21->44         started        46 WerFault.exe 21->46         started        99 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 26->99 dropped 185 Tries to evade debugger and weak emulator (self modifying code) 26->185 187 Hides threads from debuggers 26->187 189 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->189 48 rundll32.exe 25 28->48         started        191 Antivirus detection for dropped file 30->191 193 Multi AV Scanner detection for dropped file 30->193 195 Machine Learning detection for dropped file 30->195 203 3 other signatures 30->203 51 rundll32.exe 32->51         started        197 System process connects to network (likely due to code injection or exploit) 34->197 53 chrome.exe 36->53         started        60 2 other processes 36->60 199 Binary is likely a compiled AutoIt script file 38->199 56 chrome.exe 38->56         started        58 chrome.exe 40->58         started        file10 signatures11 process12 dnsIp13 62 conhost.exe 42->62         started        64 conhost.exe 44->64         started        157 Tries to steal Instant Messenger accounts or passwords 48->157 159 Uses netsh to modify the Windows network and firewall settings 48->159 161 Tries to harvest and steal WLAN passwords 48->161 66 powershell.exe 48->66         started        70 netsh.exe 2 48->70         started        163 Tries to harvest and steal ftp login credentials 51->163 165 Tries to harvest and steal browser information (history, passwords, etc) 51->165 72 powershell.exe 51->72         started        74 netsh.exe 51->74         started        131 108.177.122.99 GOOGLEUS United States 53->131 133 172.217.215.136 GOOGLEUS United States 53->133 139 6 other IPs or domains 53->139 135 192.168.2.4, 443, 49723, 49724 unknown unknown 56->135 137 239.255.255.250 unknown Reserved 56->137 76 chrome.exe 56->76         started        79 chrome.exe 56->79         started        81 2 other processes 56->81 signatures14 process15 dnsIp16 91 C:\Users\user\...\246122658369_Desktop.zip, Zip 66->91 dropped 175 Found many strings related to Crypto-Wallets (likely being stolen) 66->175 177 Loading BitLocker PowerShell Module 66->177 83 conhost.exe 66->83         started        85 conhost.exe 70->85         started        87 conhost.exe 72->87         started        89 conhost.exe 74->89         started        147 youtube-ui.l.google.com 108.177.122.91, 443, 49747 GOOGLEUS United States 76->147 149 www3.l.google.com 142.250.105.138, 443, 49783 GOOGLEUS United States 76->149 155 4 other IPs or domains 76->155 151 74.125.138.101 GOOGLEUS United States 79->151 153 play.google.com 79->153 file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2024-04-18 21:38:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3jhmjbknf3q7yqvu3fzsqpvpysowiujmnoglrkdkp7gf2qbl2ha._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:risepro family:stealc family:zgrat botnet:livetraffic evasion infostealer persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/240418-1g2afsfe83/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
RisePro
Stealc
ZGRat
Malware Config
C2 Extraction:
http://193.233.132.56
http://193.233.132.167
147.45.47.93:58709
4.184.225.183:30592
http://52.143.157.84
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
Unpacked files
SH256 hash:
e4a8f13847c34563de976c1281690a61f89e587fe09d23f46a2111c7b2459fb0
MD5 hash:
27a9644d3b7c19850c5c70371d765d9a
SHA1 hash:
fbb09d62a3c9db529b37206393c03c7e36877b0b
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/8ac27703-695c-4065-bd4d-7639a2b26a5c/
SH256 hash:
3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e
MD5 hash:
a0de5117f2db3409eeb42464b5c2e811
SHA1 hash:
20300a63f6c8ccce917110e53bd8d4f1a49407fc
Link:
https://www.unpac.me/results/8ac27703-695c-4065-bd4d-7639a2b26a5c/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ed276242a69/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3ed276242a69770fe215a6cb9941f57e24eb2289635c65c54353fe62ea015e8e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2817452/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-04-18 21:37:59 UTC

url : hxxp://147.45.47.102:57893/hera/amadka.exe