MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 7

Intelligence 7 IOCs 1 YARA File information Comments

SHA256 hash:	42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3
SHA3-384 hash:	ae2d2d9d1f7067111f77fe16d03b8a3cd6baac618a4575b11e231d56bbce8d78fdea7370700f7e908e65fd07d6accf0c
SHA1 hash:	c2663a2189440deae7a3826109bceacaea3a99d9
MD5 hash:	3c76e12084f57410323212b79c24a4ad
humanhash:	sweet-oven-pasta-rugby
File name:	3c76e12084f57410323212b79c24a4ad.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	7'513'112 bytes
First seen:	2021-09-29 10:16:19 UTC
Last seen:	2021-09-29 11:22:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0ab020de3096b6aafb4fadfac4d16825 (16 x CryptBot, 3 x ArkeiStealer, 3 x LockBit)
ssdeep	98304:LH7CgqLPRPYv7cZuwYx72XPo0+XH6zVLexfY+/1P6w0UYv6M0kMfRG1DOUYeixTA:b+gqLKB2pUca6+NP6yYbUGbYemTENFZ3
Threatray	46 similar samples on MalwareBazaar
TLSH	T10D76F130768BC52BD5A605B15A3CDB9F5128BFB60F6250D7A3E42E6E05B48C35332E27
File icon (PE):
dhash icon	6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
http://185.215.113.13/g4MbvE/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.215.113.13/g4MbvE/index.php	https://threatfox.abuse.ch/ioc/227531/

Intelligence

File Origin

# of uploads :

2

# of downloads :

332

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

3c76e12084f57410323212b79c24a4ad.exe

Verdict:

Malicious activity

Analysis date:

2021-09-29 10:20:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4d6ff009-32f4-4e22-93e3-bd61763ec0f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/193100/

Detection(s):

SecuriteInfo.com.generic.ml.24773.13688.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2a8cc485-acce-4037-ab16-a3106516bdb9

Result

Threat name:

Amadey

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/860760

Signature

PE file has a writeable .text section

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Amadey bot

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3/

Threat name:

Win32.Downloader.Deyma

Status:

Malicious

First seen:

2021-09-29 10:17:04 UTC

AV detection:

2 of 45 (4.44%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ilrwtsfarzblw7fid45ulgfrgutwn7lafqzk3qq42xy27k4f67zq._file

Verdict:

unknown

Similar samples:

3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27

384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c

38b2cd6c40791c11a2cdb5f2c31f2304175a202e11e25bfcc87ed914e6bf5902

4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd

57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5

73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e

e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9

+ 36 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210929-mbcs1sefgn/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Enumerates connected drives

Drops startup file

Loads dropped DLL

Blocklisted process makes network request

Executes dropped EXE

suricata: ET MALWARE Amadey CnC Check-In

Unpacked files

SH256 hash:

42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3

MD5 hash:

3c76e12084f57410323212b79c24a4ad

SHA1 hash:

c2663a2189440deae7a3826109bceacaea3a99d9

Link:

https://www.unpac.me/results/0f23ca91-d8d6-4ce1-8b06-8c38ee4c0cab/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/42e369c8a08e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/193100/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample