MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42054b960727fbd72bde57e8903881e4239e9500f1160ca298e10a1b438698a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42054b960727fbd72bde57e8903881e4239e9500f1160ca298e10a1b438698a8
SHA3-384 hash: fb17a2353251dec3e65490f5d16a65f4bf31b1ab95e64eab8e2550d0e063c6e9555e5a11d96de5f1754222d5cb65b9aa
SHA1 hash: f2e8d6fdaabbfedd6fca2a7676205756b0c72d3c
MD5 hash: 6738c904ba78a2268a8950152a6c7448
humanhash: music-may-idaho-nitrogen
File name:6738c904ba78a2268a8950152a6c7448.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'470'944 bytes
First seen:2021-07-19 15:32:52 UTC
Last seen:2021-07-19 16:46:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8df424f905860bc01b3ba767a4c550e (1 x Amadey)
ssdeep 98304:evijXqgHXT9Xo/9xOtLIfqFbco+g5f1JGkV7FbTe7:evol5Xo9xOrb3Rff99C
Threatray 36 similar samples on MalwareBazaar
TLSH T12726236353A11182E4D28D398933FD9131F34F5A9AC3FCBC999AB9D536325E4E202D63
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0f6d353__turbo-cpp-new-v.zip
Verdict:
Malicious activity
Analysis date:
2021-07-18 15:47:10 UTC
Tags:
evasion autoit loader trojan rat redline stealer amadey vidar phishing unwanted netsupport
Link:
https://app.any.run/tasks/30850b7c-e38f-4cac-8c22-acfd18858b66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172587/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.42517.11907.22223.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/582ecd3a-a61e-40e3-bb05-6f2902011ba2
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818406
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450818 Sample: vhNyVU8USk.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 8 vhNyVU8USk.exe 4 2->8         started        12 drbux.exe 2->12         started        14 drbux.exe 2->14         started        16 drbux.exe 2->16         started        process3 file4 33 C:\Users\user\AppData\Local\...\drbux.exe, PE32 8->33 dropped 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->57 18 drbux.exe 25 8->18         started        signatures5 process6 dnsIp7 35 x-vpn.ug 185.114.247.54, 49734, 49735, 49737 TIMEWEB-ASRU Russian Federation 18->35 37 cdn.discordapp.com 162.159.129.233, 49736, 49757, 49775 CLOUDFLARENETUS United States 18->37 39 192.168.2.1 unknown unknown 18->39 49 Multi AV Scanner detection for dropped file 18->49 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->51 53 Creates HTML files with .exe extension (expired dropper behavior) 18->53 55 3 other signatures 18->55 22 cmd.exe 1 18->22         started        24 schtasks.exe 1 18->24         started        signatures8 process9 process10 26 reg.exe 1 22->26         started        29 conhost.exe 22->29         started        31 conhost.exe 24->31         started        signatures11 59 Creates an undocumented autostart registry key 26->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42054b960727fbd72bde57e8903881e4239e9500f1160ca298e10a1b438698a8/
Threat name:
Win32.Downloader.Deyma
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 12:20:28 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
Amadey
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
Amadey
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
Amadey
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
Amadey
4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e
Amadey
5ac7fc154a948a26d0b7469dda7495f712cb15d055692e6cd989c07c92fee9f7
Amadey
84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04
Amadey
88c98c6871442d02b5f26dc7625926c1dcd4de88a7d31bc53786f6182204c902
Amadey
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
Amadey
a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4
Amadey
+ 26 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan
Link:
https://tria.ge/reports/210719-atfvb7lv3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Malware Config
C2 Extraction:
x-vpn.ug/hfV3vDtt/index.php
Unpacked files
SH256 hash:
42054b960727fbd72bde57e8903881e4239e9500f1160ca298e10a1b438698a8
MD5 hash:
6738c904ba78a2268a8950152a6c7448
SHA1 hash:
f2e8d6fdaabbfedd6fca2a7676205756b0c72d3c
Link:
https://www.unpac.me/results/6e15fdec-3006-46f5-99f2-6563e528c063/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42054b960727fbd72bde57e8903881e4239e9500f1160ca298e10a1b438698a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 42054b960727fbd72bde57e8903881e4239e9500f1160ca298e10a1b438698a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1453956/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172587/

Comments