MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5
SHA3-384 hash: 08ea6d2f722b60ed3c316f887fab4befc8c13d6c710e3b7e80ccd34665dc34772de5cfee890af03e0e35afccc08e920d
SHA1 hash: 166d78e0e86a6ce1208adc62a9664898dad5071a
MD5 hash: 2f159603b41f5ec61d187922aaffed9b
humanhash: table-oxygen-steak-lima
File name:2f159603b41f5ec61d187922aaffed9b.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:253'304 bytes
First seen:2023-09-11 02:15:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 6144:8V3UPz6DCGbAR/VeDC1tAO7cCGxVffturBiIg:8mPzaC+UjevVurBiIg
Threatray 1'487 similar samples on MalwareBazaar
TLSH T123349E31B4E1C432D932953609F0E7B55A3EB9700BA199EF93A40F7F4F202C1AB75A56
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f159603b41f5ec61d187922aaffed9b.exe
Verdict:
No threats detected
Analysis date:
2023-09-11 02:18:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/79e7fbe3-8706-4da7-90ec-56b4cc82cea8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447795/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.28173.22799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fb49f224-660e-43c8-9cae-483d036154f9
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306982
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1306982 Sample: hUYCxTbHdc.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 134 tse1.mm.bing.net 2->134 176 Snort IDS alert for network traffic 2->176 178 Found malware configuration 2->178 180 Malicious sample detected (through community Yara rule) 2->180 182 12 other signatures 2->182 13 hUYCxTbHdc.exe 1 2->13         started        16 caghdie 2->16         started        18 oneetx.exe 2->18         started        signatures3 process4 signatures5 214 Contains functionality to inject code into remote processes 13->214 216 Writes to foreign memory regions 13->216 218 Allocates memory in foreign processes 13->218 220 Injects a PE file into a foreign processes 13->220 20 AppLaunch.exe 13->20         started        23 WerFault.exe 23 9 13->23         started        25 conhost.exe 13->25         started        process6 signatures7 184 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->184 186 Maps a DLL or memory area into another process 20->186 188 Checks if the current machine is a virtual machine (disk enumeration) 20->188 190 Creates a thread in another existing process (thread injection) 20->190 27 explorer.exe 3 17 20->27 injected process8 dnsIp9 140 79.137.192.18, 49722, 80 PSKSET-ASRU Russian Federation 27->140 142 77.91.68.29, 49709, 49711, 49716 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 27->142 144 2 other IPs or domains 27->144 116 C:\Users\user\AppData\Roaming\caghdie, PE32 27->116 dropped 118 C:\Users\user\AppData\Local\Temp\DC55.exe, PE32 27->118 dropped 120 C:\Users\user\AppData\Local\Temp\BA10.exe, PE32 27->120 dropped 122 3 other malicious files 27->122 dropped 222 System process connects to network (likely due to code injection or exploit) 27->222 224 Benign windows process drops PE files 27->224 226 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->226 32 BA10.exe 4 27->32         started        36 2F1D.exe 27->36         started        38 75DE.exe 27->38         started        40 2 other processes 27->40 file10 signatures11 process12 dnsIp13 90 C:\Users\user\AppData\Local\...\x6392662.exe, PE32 32->90 dropped 92 C:\Users\user\AppData\Local\...\k5635170.exe, PE32 32->92 dropped 146 Antivirus detection for dropped file 32->146 148 Machine Learning detection for dropped file 32->148 43 x6392662.exe 4 32->43         started        94 C:\Users\user\AppData\Local\...\y1656455.exe, PE32 36->94 dropped 96 C:\Users\user\AppData\Local\...\p8241528.exe, PE32 36->96 dropped 47 y1656455.exe 36->47         started        98 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 38->98 dropped 150 Multi AV Scanner detection for dropped file 38->150 49 oneetx.exe 38->49         started        136 162.33.179.91, 49729, 80 CORENETUS United States 40->136 138 api.ip.sb 40->138 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->152 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->154 156 Tries to harvest and steal browser information (history, passwords, etc) 40->156 158 4 other signatures 40->158 52 vbc.exe 40->52         started        file14 signatures15 process16 dnsIp17 108 C:\Users\user\AppData\Local\...\x3090298.exe, PE32 43->108 dropped 110 C:\Users\user\AppData\Local\...\j6400486.exe, PE32 43->110 dropped 196 Antivirus detection for dropped file 43->196 198 Machine Learning detection for dropped file 43->198 54 x3090298.exe 4 43->54         started        112 C:\Users\user\AppData\Local\...\y4372199.exe, PE32 47->112 dropped 114 C:\Users\user\AppData\Local\...\o2325325.exe, PE32 47->114 dropped 58 y4372199.exe 47->58         started        128 5.42.65.80, 49727, 49728, 49730 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 49->128 130 192.168.2.1 unknown unknown 49->130 200 Multi AV Scanner detection for dropped file 49->200 202 Creates an undocumented autostart registry key 49->202 204 Uses schtasks.exe or at.exe to add and modify task schedules 49->204 60 cmd.exe 49->60         started        62 schtasks.exe 49->62         started        132 176.123.9.85, 16482, 49724 ALEXHOSTMD Moldova Republic of 52->132 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->206 208 Found many strings related to Crypto-Wallets (likely being stolen) 52->208 210 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->210 212 Tries to steal Crypto Currency Wallets 52->212 file18 signatures19 process20 file21 100 C:\Users\user\AppData\Local\...\i5110433.exe, PE32 54->100 dropped 102 C:\Users\user\AppData\Local\...\g4582216.exe, PE32 54->102 dropped 192 Antivirus detection for dropped file 54->192 194 Machine Learning detection for dropped file 54->194 64 i5110433.exe 54->64         started        68 g4582216.exe 1 54->68         started        104 C:\Users\user\AppData\Local\...\n2757989.exe, PE32 58->104 dropped 106 C:\Users\user\AppData\Local\...\m6982010.exe, PE32 58->106 dropped 70 n2757989.exe 58->70         started        72 m6982010.exe 58->72         started        74 conhost.exe 60->74         started        76 cmd.exe 60->76         started        78 cacls.exe 60->78         started        82 4 other processes 60->82 80 conhost.exe 62->80         started        signatures22 process23 dnsIp24 124 77.91.124.82, 19071, 49719, 49723 ECOTEL-ASRU Russian Federation 64->124 160 Antivirus detection for dropped file 64->160 162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->162 164 Machine Learning detection for dropped file 64->164 166 Found many strings related to Crypto-Wallets (likely being stolen) 64->166 168 Writes to foreign memory regions 68->168 170 Allocates memory in foreign processes 68->170 172 Injects a PE file into a foreign processes 68->172 84 WerFault.exe 10 68->84         started        86 AppLaunch.exe 1 68->86         started        88 conhost.exe 68->88         started        174 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->174 126 5.42.92.211, 49720, 49761, 49765 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 72->126 signatures25 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Suspicious
First seen:
2023-09-11 02:16:06 UTC
File Type:
PE (Exe)
AV detection:
14 of 38 (36.84%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ic236bwmcawgjovg4it635ykmogr6ladannd6d5pvrpujbewu3kq._file
Verdict:
malicious
Similar samples:
17e9943c01ded30ef2334a1c43f3c38206e824fb6e4be3db4bf75745350a584e
Amadey
2de6754a429fb1bf67e370615ec3c27d10ff20749b3df395c16726e964f4ae72
Amadey
34f122f1f2078367b52f59c04bdce076617445442f95c62b96ec104e8ee733df
Amadey
4464eac337f79d47d791c202d2a12935d7f6df0e9e6cb7628368f48945eaf8dd
Amadey
86706e3bf9afefd55a0c2d7d98c163ca63e1eb4214951f789fbb596973ae7a6e
Amadey
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
Amadey
9b8c90e5119853c1a09f31a773e2d4af151c78174c78b14eac6377c7562f7735
Amadey
9f78f23917333e4e4ee095e36f159d24d29117296c458b748831d4c0ede6b938
Amadey
f353607f3c6a01bc5e2ee8b7335157f2e68f5d129d77fe16ff0fe393d61a5f47
Amadey
f432f9cb89ee9ea1704bf3d33c85f19483a4258f4277b126201930dff9d119f5
Amadey
+ 1'477 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230911-cp5e3sdc32/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5
MD5 hash:
2f159603b41f5ec61d187922aaffed9b
SHA1 hash:
166d78e0e86a6ce1208adc62a9664898dad5071a
Link:
https://www.unpac.me/results/a99527e7-5b6b-4fcc-84cb-2e32790cff7f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40b5bf06cc10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710381/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447795/

Comments