MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43b013fa0242673bc2b108430d203f81067c61f299c9dea6d5f16b6d4c22fbfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43b013fa0242673bc2b108430d203f81067c61f299c9dea6d5f16b6d4c22fbfb
SHA3-384 hash: 059d86cc406e86fb5617a986bbe979a5a0747b56aebab1e3522ad1203f74c51d8dcdc7cb9d14cbdf725ac62220936d91
SHA1 hash: 08c1709e81329738fe52aee91eeb66b07dd8d921
MD5 hash: c865b423de9c665ad259b769463d4d32
humanhash: apart-papa-september-four
File name:c865b423de9c665ad259b769463d4d32.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'678'568 bytes
First seen:2023-10-04 02:00:32 UTC
Last seen:2023-10-04 07:14:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:xNoT/Izm5xnLbTDNIWuiaOty8ucIrH6fDk7AclfV:n2/Izm5xLbTDNIiaz8qTsA7XV
Threatray 3'146 similar samples on MalwareBazaar
TLSH T14C26D03C76785A31E65C8A305DE14B2CEA52B89131CEFAB6F940F3D9513276FA1884C7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 716525655c5d7933 (2 x Formbook, 1 x RedLineStealer, 1 x LimeRAT)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://cncdevelopment.boo/b9djs2g/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.8283.18816.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/43b013fa0242673bc2b108430d203f81067c61f299c9dea6d5f16b6d4c22fbfb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0668a9a-4832-422c-95bc-ffaa5bfa95fc
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319144
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43b013fa0242673bc2b108430d203f81067c61f299c9dea6d5f16b6d4c22fbfb/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2023-10-04 02:01:13 UTC
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioybh6qcijttxqvrbbbq2ib7qedhyypsthe55jwv6fvw2tbc7p5q._file
Verdict:
malicious
Similar samples:
007cfdd9d19a225b749811f15daee02016824bfd2fbb63934ff4df18ed59eeff
Amadey
50fab7e7c50e5cded050887693996292a8e546064e8e69c8826ca8f8f7b03242
Amadey
6490e5498bf6ca3c0b3cb40d581e019e8c4135fd8bc49580c30160f6b02450c6
Amadey
790b64a5860a5069fedcb660efdffce2b5ab2195086100a6079697b662f0c198
Amadey
b0dae00efdb8e3e23450b7c29f558a85a82f5a95fa2a94718ee9afc7ea4ad5f0
Amadey
b73234fec5a6cbf5e739a75ce9aa9674f11dd409a81c740f009e1bf18c767c94
Amadey
b835220d18074195e2df569e8088470b7f400c334aef1dd54dfe30e2019dab7a
Amadey
b9d4088106a3a557fb5d909c8c5b921971704d7b764306ee4190cefd9b8d89b0
Amadey
c961a1c23fe7e6704d8c4b718815dd0d1f93804de28756fb44ab0d6aa70776a1
Amadey
eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9
Amadey
+ 3'136 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/231004-cfjr1sad74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Amadey
Unpacked files
SH256 hash:
ba3a15c1202336bedcc1132c318d546941fe039f0e9309f6171d609c3cdb05cb
MD5 hash:
35de8e5f5ccb7510fa440a85e530ba18
SHA1 hash:
da6f8e14184ba8bf655622e7195b22ff870a77bb
Link:
https://www.unpac.me/results/079c708c-350b-4f3f-9b2a-9a022d6e2e64/
SH256 hash:
c01054ec9c64879285638aadf550834b2b66c6b5ec4e4801115f9ac8a52f661f
MD5 hash:
d76f6a12e943055d752199c93f785267
SHA1 hash:
93c701da6214e02e62417caa548a3cb1dc44eebc
Link:
https://www.unpac.me/results/079c708c-350b-4f3f-9b2a-9a022d6e2e64/
SH256 hash:
f3960778e5092ad26ea3ee86a238c78d4d465012cb1a45eb47e121ac577d9937
MD5 hash:
1ea342bb14ee095a5f06d93692502e79
SHA1 hash:
643bb88dfef8d040d79bb0e60017105c57261b5e
Link:
https://www.unpac.me/results/079c708c-350b-4f3f-9b2a-9a022d6e2e64/
SH256 hash:
ef7efa8a8b4c106898bd1ea7317b377e52751821548e52d18c61873434accf12
MD5 hash:
8865ba9971b705e9ec305f6e97826b1d
SHA1 hash:
15653149dc229125fc31a0257f28003fc9b102d5
Link:
https://www.unpac.me/results/079c708c-350b-4f3f-9b2a-9a022d6e2e64/
SH256 hash:
43b013fa0242673bc2b108430d203f81067c61f299c9dea6d5f16b6d4c22fbfb
MD5 hash:
c865b423de9c665ad259b769463d4d32
SHA1 hash:
08c1709e81329738fe52aee91eeb66b07dd8d921
Link:
https://www.unpac.me/results/079c708c-350b-4f3f-9b2a-9a022d6e2e64/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43b013fa0242/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/43b013fa0242673bc2b108430d203f81067c61f299c9dea6d5f16b6d4c22fbfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 43b013fa0242673bc2b108430d203f81067c61f299c9dea6d5f16b6d4c22fbfb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2716253/
  
Delivery method
Distributed via web download

Comments