MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358
SHA3-384 hash: 37c0712289e4e7f8ebb356f71109fbebff90575453efcb888a405b042c1d348c7824e41c272db2a7fbfbb830a0ba73d6
SHA1 hash: bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a
MD5 hash: 0f7a33360cfb19513d6d5261c1dc1394
humanhash: colorado-jersey-lactose-helium
File name:0f7a33360cfb19513d6d5261c1dc1394
Download: download sample
Signature Amadey
Create hunting rule
File size:592'488 bytes
First seen:2021-10-06 23:52:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:RdFqS35oGPZ1XQtWRsVY42I7HCMSU5MZtAo3pIo:3TPZ1XQossJxH6MKo
Threatray 182 similar samples on MalwareBazaar
TLSH T13BC49E25AFC7E705CE983B77E35B929043B250E20736D21AAF4DAAF57C130797E92601
File icon (PE):PE icon
dhash icon 30f8dcd8dcd871b2 (1 x RedLineStealer, 1 x Amadey, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-06 21:53:17 UTC
Tags:
trojan rat redline loader stealer vidar evasion opendir unwanted netsupport amadey
Link:
https://app.any.run/tasks/21ce69ec-4949-423a-8610-0d833ce82310

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195572/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/615e36dfe3d213d202b9139d/reports/b8bf8ec3-6a92-415f-85db-a476b747bde1/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18762fa4-9a11-43c9-855a-dbc96d3ba86b
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865937
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498365 Sample: awqybDuoVl Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected AntiVM3 2->60 62 6 other signatures 2->62 10 awqybDuoVl.exe 4 2->10         started        14 sqtvvs.exe 2->14         started        process3 file4 52 C:\Users\user\AppData\...\awqybDuoVl.exe.log, ASCII 10->52 dropped 72 Contains functionality to inject code into remote processes 10->72 74 Adds a directory exclusion to Windows Defender 10->74 76 Injects a PE file into a foreign processes 10->76 16 awqybDuoVl.exe 4 10->16         started        19 powershell.exe 25 10->19         started        21 awqybDuoVl.exe 10->21         started        signatures5 process6 file7 50 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 16->50 dropped 23 sqtvvs.exe 4 16->23         started        26 conhost.exe 19->26         started        process8 signatures9 64 Machine Learning detection for dropped file 23->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 23->66 68 Adds a directory exclusion to Windows Defender 23->68 70 Injects a PE file into a foreign processes 23->70 28 sqtvvs.exe 23->28         started        31 powershell.exe 23->31         started        33 sqtvvs.exe 23->33         started        35 sqtvvs.exe 23->35         started        process10 dnsIp11 54 185.215.113.45, 49761, 49762, 49763 WHOLESALECONNECTIONSNL Portugal 28->54 37 cmd.exe 28->37         started        39 schtasks.exe 28->39         started        41 conhost.exe 31->41         started        process12 process13 43 reg.exe 37->43         started        46 conhost.exe 37->46         started        48 conhost.exe 39->48         started        signatures14 78 Creates an undocumented autostart registry key 43->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 19:43:50 UTC
AV detection:
6 of 28 (21.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
6bd20157eb146f12887ccb49fa09ac5b0c817983edc43ca1b665f17ad3ebfb25
Amadey
7ac85575a5601ad9b71531eb84ada81207d07b29d8fe2e949d56222bd1594135
Amadey
8babde64a6d3b85c2c4315205ae58884ee01f6364477a777f09d5b9c3ceef2a6
Amadey
a1b0074cbd56956cc94e6161361f8f7407075f2903d14d082c1006f411bec90a
Amadey
c5e41abe14036a3331b4bd9e3bb24be2424439a8030b8dfbe1a61a3da6482573
Amadey
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
Amadey
ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2
Amadey
+ 172 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211006-3w971sbff8/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2
MD5 hash:
d7a4223e43b194c93b0663e8e319fbaa
SHA1 hash:
d6cbe3198b1875a485773496b0e9c2b944b23133
Link:
https://www.unpac.me/results/f27f70a2-7791-4dc6-8f63-b06e5443916b/
SH256 hash:
35865dfc82c70f039bd4647c82e848e24b4913d0d97ad3ad0715396b22dc7c61
MD5 hash:
6a5004eba202baff86840e0ee45701e6
SHA1 hash:
9f8403533db830e4af366583c2107fcc0a8be2ac
Link:
https://www.unpac.me/results/f27f70a2-7791-4dc6-8f63-b06e5443916b/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/f27f70a2-7791-4dc6-8f63-b06e5443916b/
SH256 hash:
4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358
MD5 hash:
0f7a33360cfb19513d6d5261c1dc1394
SHA1 hash:
bd14d2c349fdeb1a1e3ea4e842e370ee7572eb8a
Link:
https://www.unpac.me/results/f27f70a2-7791-4dc6-8f63-b06e5443916b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4138c3b3168b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 4138c3b3168b4cf2846b18945a5b575c0f17afe63826f1ca05515ba88c8ca358

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195572/
  
URLhaus
https://urlhaus.abuse.ch/url/1644572/

Comments


Avatar
zbet commented on 2021-10-06 23:52:53 UTC

url : hxxp://2.56.59.42/WW/file1.exe