MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0
SHA3-384 hash: e8866d1ae900858711961d7ae99f9be70d5c3e3d05c7725ac1e3fe13551a42c64bf63c999f9047c889760afa2ba26ffe
SHA1 hash: 3584eb9aa78d1f330dc08b00030e83170091af19
MD5 hash: fdd425aebddb3239f86b601c49f0c2c5
humanhash: alanine-pasta-robin-eleven
File name:fdd425aebddb3239f86b601c49f0c2c5
Download: download sample
Signature Amadey
Create hunting rule
File size:1'886'208 bytes
First seen:2024-06-15 04:11:22 UTC
Last seen:2024-06-15 04:18:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:TJrw4I73yiheF+eowU8ShczMH3jDLy9b5d+Rwk:drjIPhoUHiwXjKTl
TLSH T15A953397DF171D34C628C0B4C92B73858E780DD217CCA6384EAD2B5ED1BB019F66627A
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0.exe
Verdict:
Malicious activity
Analysis date:
2024-06-15 04:13:54 UTC
Tags:
amadey botnet stealer loader evasion exela redline meta metastealer python lumma adware neoreklami
Link:
https://app.any.run/tasks/4678df23-3a1d-421d-9bb9-35f6142790cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.28530.21202.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666d15f59172918f990f3414win7simulatehigh_evasion
Tags:
Banker Stealth Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/666d149221581a92819d18b6/reports/3f53c777-5f29-4ad9-9f4a-525fd81f6e4b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7564c652-7e12-455f-afb0-4b72c6d7bbbc
Result
Threat name:
LummaC, Python Stealer, Amadey, LummaC S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457690
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected generic credential text file
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected LummaC Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1457690 Sample: 4TzzRzv0Hs.exe Startdate: 15/06/2024 Architecture: WINDOWS Score: 100 173 Multi AV Scanner detection for domain / URL 2->173 175 Found malware configuration 2->175 177 Malicious sample detected (through community Yara rule) 2->177 179 21 other signatures 2->179 10 axplong.exe 37 2->10         started        15 4TzzRzv0Hs.exe 5 2->15         started        17 svchost.exe 2->17         started        process3 dnsIp4 165 185.172.128.19 NADYMSS-ASRU Russian Federation 10->165 167 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 10->167 135 C:\Users\user\AppData\Local\...135ewKindR.exe, PE32 10->135 dropped 137 C:\Users\user\AppData\...\drivermanager.exe, PE32 10->137 dropped 139 C:\Users\user\AppData\Local\...\lummac2.exe, PE32 10->139 dropped 145 13 other malicious files 10->145 dropped 239 Detected unpacking (changes PE section rights) 10->239 241 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->241 243 Tries to evade debugger and weak emulator (self modifying code) 10->243 251 2 other signatures 10->251 19 judit.exe 47 10->19         started        23 setup222.exe 10->23         started        26 upd.exe 10->26         started        30 5 other processes 10->30 141 C:\Users\user\AppData\Local\...\axplong.exe, PE32 15->141 dropped 143 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 15->143 dropped 245 Tries to detect virtualization through RDTSC time measurements 15->245 247 Hides threads from debuggers 15->247 249 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->249 28 axplong.exe 15->28         started        169 184.28.90.27 AKAMAI-ASUS United States 17->169 file5 signatures6 process7 dnsIp8 111 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 19->111 dropped 113 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 19->113 dropped 115 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 19->115 dropped 125 32 other files (31 malicious) 19->125 dropped 207 Found many strings related to Crypto-Wallets (likely being stolen) 19->207 209 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->209 32 stub.exe 28 19->32         started        37 WmiPrvSE.exe 19->37         started        157 172.67.198.131 CLOUDFLARENETUS United States 23->157 117 C:\Windows\System32\SetupWizard.exe, PE32+ 23->117 dropped 127 21 other malicious files 23->127 dropped 211 Drops executables to the windows directory (C:\Windows) and starts them 23->211 39 SetupWizard.exe 23->39         started        213 Writes to foreign memory regions 26->213 215 Allocates memory in foreign processes 26->215 217 Injects a PE file into a foreign processes 26->217 41 RegAsm.exe 26->41         started        219 Hides threads from debuggers 28->219 221 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->221 223 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 28->223 159 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 30->159 161 18.66.107.48 MIT-GATEWAYSUS United States 30->161 163 31.31.198.35 AS-REGRU Russian Federation 30->163 119 C:\Users\user\AppData\Local\Temp\12.exe, PE32 30->119 dropped 121 C:\Users\user\AppData\Local\...\setup.exe, PE32 30->121 dropped 123 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 30->123 dropped 225 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->225 227 Creates an undocumented autostart registry key 30->227 229 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->229 231 3 other signatures 30->231 43 MSBuild.exe 30->43         started        45 RegAsm.exe 30->45         started        47 schtasks.exe 30->47         started        49 Conhost.exe 30->49         started        file9 signatures10 process11 dnsIp12 147 208.95.112.1 TUT-ASUS United States 32->147 149 185.199.111.133 FASTLYUS Netherlands 32->149 155 2 other IPs or domains 32->155 97 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 32->97 dropped 99 C:\Users\user\AppData\...\system_info.txt, Algol 32->99 dropped 101 C:\Users\user\AppData\...\process_info.txt, ASCII 32->101 dropped 109 3 other malicious files 32->109 dropped 181 Found many strings related to Crypto-Wallets (likely being stolen) 32->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->183 185 Tries to harvest and steal browser information (history, passwords, etc) 32->185 197 5 other signatures 32->197 51 cmd.exe 32->51         started        54 cmd.exe 32->54         started        56 cmd.exe 32->56         started        68 9 other processes 32->68 103 C:\Users\user\AppData\...\SetupWizard.exe, PE32+ 39->103 dropped 58 SetupWizard.exe 39->58         started        105 C:\Users\user\AppData\Roaming\...\svhoost.exe, PE32 41->105 dropped 107 C:\Users\user\AppData\Roaming\...\One.exe, PE32 41->107 dropped 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->187 189 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->189 61 svhoost.exe 41->61         started        64 One.exe 41->64         started        151 104.21.91.177 CLOUDFLARENETUS United States 43->151 191 Query firmware table information (likely to detect VMs) 43->191 193 Tries to harvest and steal ftp login credentials 43->193 195 Tries to steal Crypto Currency Wallets 43->195 153 4.185.27.237 LEVEL3US United States 45->153 66 conhost.exe 47->66         started        file13 signatures14 process15 dnsIp16 199 Uses netsh to modify the Windows network and firewall settings 51->199 201 Tries to harvest and steal WLAN passwords 51->201 203 Uses attrib.exe to hide files 51->203 70 conhost.exe 51->70         started        72 systeminfo.exe 54->72         started        85 6 other processes 54->85 75 WMIC.exe 56->75         started        77 conhost.exe 56->77         started        129 C:\Windows\system32\winsvc.exe (copy), PE32+ 58->129 dropped 131 C:\Windows\system32\.co4E3.tmp (copy), PE32+ 58->131 dropped 133 C:\Windows\System32\.co4E3.tmp, PE32+ 58->133 dropped 171 185.172.128.33 NADYMSS-ASRU Russian Federation 61->171 205 Installs new ROOT certificates 61->205 79 conhost.exe 64->79         started        81 powershell.exe 68->81         started        83 tasklist.exe 68->83         started        87 15 other processes 68->87 file17 signatures18 process19 signatures20 233 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 72->233 235 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 75->235 237 Installs new ROOT certificates 81->237 89 Conhost.exe 83->89         started        91 net1.exe 85->91         started        93 quser.exe 85->93         started        95 net1.exe 85->95         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2024-06-15 04:12:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h55wvy3ofbj5vlddx3uvwlgdqg3a6xodqhw22xkwjc4ppy26mgya._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:e76b71 evasion trojan
Link:
https://tria.ge/reports/240615-eshftssejq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://77.91.77.81
Unpacked files
SH256 hash:
ac3087d81af1e37cae33e05ef131b3d61f800850022e128473fe83a779b8a7b8
MD5 hash:
5164890bc9414efbfe24762ed99d23c7
SHA1 hash:
f7f040cf8d8e255dcb17d69ed5edb12d0c0582a4
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/e695884d-217a-4277-a5e0-08236f75a645/
SH256 hash:
3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0
MD5 hash:
fdd425aebddb3239f86b601c49f0c2c5
SHA1 hash:
3584eb9aa78d1f330dc08b00030e83170091af19
Link:
https://www.unpac.me/results/e695884d-217a-4277-a5e0-08236f75a645/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f7b6ae36e28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 3f7b6ae36e2853daac63bee95b2cc381b60f5dc381edad5d5648b8f7e35e61b0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888729/
  
URLhaus
https://urlhaus.abuse.ch/url/2874927/
  
URLhaus
https://urlhaus.abuse.ch/url/2888751/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-06-15 04:11:23 UTC

url : hxxp://77.91.77.82/soka/random.exe