MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 441e819c659c98850d8c9afe03bdf7f0626a3facbf6b13a4085c3a60fd6aa16c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 441e819c659c98850d8c9afe03bdf7f0626a3facbf6b13a4085c3a60fd6aa16c
SHA3-384 hash: 7cc53515a59a83d481a0b9cd2cc705587a612dd7edfce85d8563fed2da2f39183384c8d80a06714d6eb4e2da8f3121e8
SHA1 hash: dc71b793d32e6d14ac2b2e2e03b236928c44b1bd
MD5 hash: a36c01eb8e04ca7277066e971b96d5bd
humanhash: oklahoma-helium-wisconsin-glucose
File name:SecuriteInfo.com.Variant.Fragtor.12980.8853.31655
Download: download sample
Signature Amadey
Create hunting rule
File size:219'136 bytes
First seen:2021-08-29 21:59:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6af2f376c26d45636195772a4c22fdda (12 x RaccoonStealer, 5 x Stop, 3 x Amadey)
ssdeep 3072:hyjeWxuva50N0IvJbAClhtGEAz32J8xF08eoh7+x0wsI5/DuT61m:hUeA0NdvJvhtGpL13+uwsI5/
Threatray 3'423 similar samples on MalwareBazaar
TLSH T11024F0193A74D1B2C5D755B08869D7613A6BBC219FB4828B3E98076F3E313D08A3D397
dhash icon 4839b230e8c38890 (25 x RaccoonStealer, 4 x RedLineStealer, 3 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Fragtor.12980.8853.31655
Verdict:
Malicious activity
Analysis date:
2021-08-29 22:00:44 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/8d0df7f5-8aca-42d2-8af4-3ac4e85719ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183316/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.12980.8853.31655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Sending a UDP request
Creating a window
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Enabling autorun by creating a file
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66da5458-a85f-465c-82d8-39d096f86370
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841135
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473564 Sample: SecuriteInfo.com.Variant.Fr... Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 5 other signatures 2->39 7 SecuriteInfo.com.Variant.Fragtor.12980.8853.exe 4 2->7         started        process3 file4 29 C:\Users\user\AppData\Local\...\hnbux.exe, PE32 7->29 dropped 41 Contains functionality to inject code into remote processes 7->41 11 hnbux.exe 14 7->11         started        15 WerFault.exe 9 7->15         started        17 WerFault.exe 9 7->17         started        19 5 other processes 7->19 signatures5 process6 dnsIp7 31 185.215.113.206, 49709, 49710, 49712 WHOLESALECONNECTIONSNL Portugal 11->31 43 Multi AV Scanner detection for dropped file 11->43 21 WerFault.exe 11->21         started        23 WerFault.exe 11->23         started        25 WerFault.exe 11->25         started        27 WerFault.exe 11->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/441e819c659c98850d8c9afe03bdf7f0626a3facbf6b13a4085c3a60fd6aa16c/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 19:32:03 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqpidhdftsmikdmmtl7ahppx6brgup5mx5vrhjailq5gb7lkufwa._file
Verdict:
unknown
Similar samples:
1862acf3a9cafaf1a284691dda294a1c2da529eddcc0c1efb1479f309730c003
Amadey
1fd53f7703dae50a4d8f2fc8d746551780d78f45b226ef6b94922a2bf8405010
Amadey
201022edaeb12b2fd2e13634660d1e197d273dc937f2ce3ebe0ac89e56e47f32
Amadey
5b470c325b9a84d9606d0357a90a029929ce98aeaeff56ddc0646cf953b61238
Amadey
815d4dda5697ecc4f5af2e2093a552bfd4ce8cfa532e7abf2d0a542ac74d19e8
Amadey
8fa7507f8c4a3d7dbb3b52affa601c5cec99f1bf0a15d8607ae41a2f82237a7d
Amadey
aa30a87a2a95293c2f52527fffce715ac4a023c1255dfa5aac233aca2ca0ef5a
Amadey
be63999b69ae9b9b9e44a622fb2fab35873e031c140749e52ba40f119bf58d5d
Amadey
cd62e4fee322712a02787bcc881712ee41b99f8e8de3e425d90399bf5bf5fe75
Amadey
ff0fc799639c097a80c46f92afb2a3a1d24743eea8ddf25dc1f5270d3c877279
Amadey
+ 3'413 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/210829-7hkqc9vays/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Amadey
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.206/k8FppT/index.php
Unpacked files
SH256 hash:
e7fea8786aff973d278f2ac29dea10eb9a50c506bfe9b84458374ec64908e059
MD5 hash:
6ff490287820f0ffb05ee01531efcd46
SHA1 hash:
6e6b766b652ca9770fcf01b2380d26c33bb3cfd2
Link:
https://www.unpac.me/results/d51375bf-f3fd-4744-b38c-037db30d5dbc/
SH256 hash:
441e819c659c98850d8c9afe03bdf7f0626a3facbf6b13a4085c3a60fd6aa16c
MD5 hash:
a36c01eb8e04ca7277066e971b96d5bd
SHA1 hash:
dc71b793d32e6d14ac2b2e2e03b236928c44b1bd
Link:
https://www.unpac.me/results/d51375bf-f3fd-4744-b38c-037db30d5dbc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/441e819c659c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/441e819c659c98850d8c9afe03bdf7f0626a3facbf6b13a4085c3a60fd6aa16c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 441e819c659c98850d8c9afe03bdf7f0626a3facbf6b13a4085c3a60fd6aa16c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/183316/
  
URLhaus
https://urlhaus.abuse.ch/url/1575545/
  
Delivery method
Distributed via web download

Comments