MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4440634dfab2d75d42aa426922863d8629e111e44bf99faa60595ee6bda6fee6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4440634dfab2d75d42aa426922863d8629e111e44bf99faa60595ee6bda6fee6
SHA3-384 hash: b4d7360c793a45ada8fda0eef6ccaf17ce652062ccffad90153d6672de05047c36df5dcbf90b26c53d02e6e1d85de386
SHA1 hash: 5314d28fe0c42b11210d4ce5598a5ef93bbc8481
MD5 hash: 91e965390d1d90c6e1b746c54b77045f
humanhash: uranus-tennis-robert-mango
File name:91e965390d1d90c6e1b746c54b77045f.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'192'960 bytes
First seen:2023-10-10 05:55:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:nyL4piBFZTQGIAtMZ0QpBioMkyW/Fzv0cttCTtWXygqkCHAE:yL4yLTjhkgp61TtiWKH
TLSH T18D4523427BEC4662CBB557B05CF603C31B31B8F18F70477A2681E95A1CA1BB26536B72
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
185.229.64.66:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Sending a custom TCP request
Creating a file
Launching a process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Disabling the operating system update service
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
HEUR/AGEN.1323756
Link:
https://www.hybrid-analysis.com/sample/4440634dfab2d75d42aa426922863d8629e111e44bf99faa60595ee6bda6fee6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fda1c77-b392-407c-bb9e-dd3d2bf57da0
Result
Threat name:
Amadey, Babadeda, Healer AV Disabler, My
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322574
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found API chain indicative of debugger detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Healer AV Disabler
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322574 Sample: 8D0yZWO31v.exe Startdate: 10/10/2023 Architecture: WINDOWS Score: 100 138 www3.l.google.com 2->138 140 www.google.com 2->140 142 10 other IPs or domains 2->142 158 Snort IDS alert for network traffic 2->158 160 Multi AV Scanner detection for domain / URL 2->160 162 Found malware configuration 2->162 164 19 other signatures 2->164 15 8D0yZWO31v.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 1 2->21         started        23 6 other processes 2->23 signatures3 process4 file5 134 C:\Users\user\AppData\Local\...\fZ4cL95.exe, PE32 15->134 dropped 136 C:\Users\user\AppData\Local\...\5Lo1HQ8.exe, PE32 15->136 dropped 25 fZ4cL95.exe 1 4 15->25         started        154 Changes security center settings (notifications, updates, antivirus, firewall) 18->154 156 Query firmware table information (likely to detect VMs) 21->156 29 WerFault.exe 2 23->29         started        31 WerFault.exe 23->31         started        33 WerFault.exe 23->33         started        35 WerFault.exe 23->35         started        signatures6 process7 file8 118 C:\Users\user\AppData\Local\...\Ty2Ve63.exe, PE32 25->118 dropped 120 C:\Users\user\AppData\Local\...\4RV403aH.exe, PE32 25->120 dropped 212 Multi AV Scanner detection for dropped file 25->212 37 Ty2Ve63.exe 1 4 25->37         started        41 4RV403aH.exe 25->41         started        43 Conhost.exe 29->43         started        signatures9 process10 file11 102 C:\Users\user\AppData\Local\...\lQ2Of68.exe, PE32 37->102 dropped 104 C:\Users\user\AppData\Local\...\3zL69vf.exe, PE32 37->104 dropped 166 Multi AV Scanner detection for dropped file 37->166 45 3zL69vf.exe 37->45         started        48 lQ2Of68.exe 1 4 37->48         started        168 Found API chain indicative of debugger detection 41->168 170 Writes to foreign memory regions 41->170 172 Allocates memory in foreign processes 41->172 174 Injects a PE file into a foreign processes 41->174 51 AppLaunch.exe 41->51         started        54 WerFault.exe 41->54         started        signatures12 process13 dnsIp14 216 Multi AV Scanner detection for dropped file 45->216 218 Found API chain indicative of debugger detection 45->218 220 Writes to foreign memory regions 45->220 226 2 other signatures 45->226 56 AppLaunch.exe 45->56         started        59 AppLaunch.exe 45->59         started        61 AppLaunch.exe 45->61         started        63 WerFault.exe 45->63         started        98 C:\Users\user\AppData\Local\...\2LC7036.exe, PE32 48->98 dropped 100 C:\Users\user\AppData\Local\...\1rw07wz3.exe, PE32 48->100 dropped 65 2LC7036.exe 48->65         started        67 1rw07wz3.exe 9 48->67         started        144 77.91.124.55, 19071, 49717, 49723 ECOTEL-ASRU Russian Federation 51->144 222 Found many strings related to Crypto-Wallets (likely being stolen) 51->222 224 Tries to harvest and steal browser information (history, passwords, etc) 51->224 file15 signatures16 process17 signatures18 188 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 56->188 190 Maps a DLL or memory area into another process 56->190 192 Checks if the current machine is a virtual machine (disk enumeration) 56->192 194 Creates a thread in another existing process (thread injection) 56->194 69 explorer.exe 56->69 injected 196 Found API chain indicative of debugger detection 65->196 198 Contains functionality to inject code into remote processes 65->198 200 Writes to foreign memory regions 65->200 210 2 other signatures 65->210 74 AppLaunch.exe 12 65->74         started        76 WerFault.exe 22 16 65->76         started        202 Found many strings related to Crypto-Wallets (likely being stolen) 67->202 204 Modifies windows update settings 67->204 206 Disable Windows Defender notifications (registry) 67->206 208 Disable Windows Defender real time protection (registry) 67->208 process19 dnsIp20 146 5.42.65.80, 49746, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 69->146 148 77.91.68.29, 49718, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 69->148 152 2 other IPs or domains 69->152 106 C:\Users\user\AppData\Local\Temp311.exe, PE32 69->106 dropped 108 C:\Users\user\AppData\Local\Temp\DEBA.exe, PE32 69->108 dropped 110 C:\Users\user\AppData\Local\Temp\DB7D.exe, PE32 69->110 dropped 112 6 other files (5 malicious) 69->112 dropped 176 System process connects to network (likely due to code injection or exploit) 69->176 178 Benign windows process drops PE files 69->178 180 Hides that the sample has been downloaded from the Internet (zone.identifier) 69->180 78 C5B0.exe 69->78         started        82 CBBC.exe 69->82         started        150 5.42.92.211, 49712, 49719, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 74->150 182 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 74->182 184 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 74->184 84 Conhost.exe 74->84         started        file21 signatures22 process23 file24 126 C:\Users\user\AppData\Local\...\uX4Ai3gm.exe, PE32 78->126 dropped 128 C:\Users\user\AppData\Local\...\6DL59ss.exe, PE32 78->128 dropped 228 Antivirus detection for dropped file 78->228 230 Multi AV Scanner detection for dropped file 78->230 232 Machine Learning detection for dropped file 78->232 86 uX4Ai3gm.exe 78->86         started        234 Found API chain indicative of debugger detection 82->234 236 Writes to foreign memory regions 82->236 238 Allocates memory in foreign processes 82->238 240 Injects a PE file into a foreign processes 82->240 signatures25 process26 file27 114 C:\Users\user\AppData\Local\...\Ph9ww9cr.exe, PE32 86->114 dropped 116 C:\Users\user\AppData\Local\...\5sW43DB.exe, PE32 86->116 dropped 186 Multi AV Scanner detection for dropped file 86->186 90 Ph9ww9cr.exe 86->90         started        signatures28 process29 file30 122 C:\Users\user\AppData\Local\...\pF3AE9jx.exe, PE32 90->122 dropped 124 C:\Users\user\AppData\Local\...\4Zf423xH.exe, PE32 90->124 dropped 214 Multi AV Scanner detection for dropped file 90->214 94 pF3AE9jx.exe 90->94         started        signatures31 process32 file33 130 C:\Users\user\AppData\Local\...\CX7Es7xy.exe, PE32 94->130 dropped 132 C:\Users\user\AppData\Local\...\3Fm9fR54.exe, PE32 94->132 dropped 242 Multi AV Scanner detection for dropped file 94->242 signatures34
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4440634dfab2d75d42aa426922863d8629e111e44bf99faa60595ee6bda6fee6/
Threat name:
Win32.Trojan.Disabler
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 05:56:06 UTC
File Type:
PE (Exe)
Extracted files:
152
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iraggtp2wllv2qvkijusfbr5qyu6cepejp4z7ktalfponpng73ta._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:healer family:redline family:smokeloader botnet:6012068394_99 botnet:lutyr botnet:magia botnet:up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231010-gm1rbsbd2t/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Amadey
DcRat
Detects Healer an antivirus disabler dropper
Glupteba
Glupteba payload
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.68.29/fks/
http://77.91.124.1/theme/index.php
https://pastebin.com/raw/8baCJyMF
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
4e5cd82834477e6e315c1b643c14f7968df83a3ff02ff71f84e822ca722414bf
MD5 hash:
33199a6d5921243dab27785547ac92e7
SHA1 hash:
ddda6389b982069a1ae4b81974d390a858ffda1d
Link:
https://www.unpac.me/results/d182a9fd-a2da-406f-9e6c-6aa49f3736d2/
SH256 hash:
bab2520411d2c3fe556e10402867e719d7e944e8c522d8ac152d292d3201be04
MD5 hash:
1a784df9022ccbed8f8dfdf147f144ed
SHA1 hash:
8a0f266bfdd3ebc3d04341befab97f4d2f5d7da4
Link:
https://www.unpac.me/results/d182a9fd-a2da-406f-9e6c-6aa49f3736d2/
SH256 hash:
431be214153fd5ffd4ff4fe2826276c8feb1459837eda7462a171c824bd63d31
MD5 hash:
94a8f3962afb223c692c8c8757e2b14d
SHA1 hash:
3d5a3f9bcd56b73a96a70cdfb9def93b54643c1e
Link:
https://www.unpac.me/results/d182a9fd-a2da-406f-9e6c-6aa49f3736d2/
SH256 hash:
bfa9b5fe9625d16a7c8e904fc81a42bbfbc0c2acc1380ada85b3fb9e67aad8d0
MD5 hash:
081c9bde20726f72840452faeea0cae7
SHA1 hash:
721847d28f5c5c5f53ba4eccfbdc814b72032b64
Link:
https://www.unpac.me/results/d182a9fd-a2da-406f-9e6c-6aa49f3736d2/
SH256 hash:
764aef9ca1f582415261afc69a5cdf72a701b6846ab1cb98acb28f0cb4a31805
MD5 hash:
bee4f648a6ab3bb8405a2437485dcca8
SHA1 hash:
05f0067f9ef9dfd5271ed92aaf38b644eafb7290
Link:
https://www.unpac.me/results/d182a9fd-a2da-406f-9e6c-6aa49f3736d2/
SH256 hash:
146c18cabe95f2793efb56e47ddf4b962300b576750f3bbd8e87b01c8396efeb
MD5 hash:
39de5b859f5506f4c92440a4be5a3768
SHA1 hash:
44b40654fe34b5f3f687a1650a528a4c5ce7c8fc
Link:
https://www.unpac.me/results/d182a9fd-a2da-406f-9e6c-6aa49f3736d2/
SH256 hash:
4440634dfab2d75d42aa426922863d8629e111e44bf99faa60595ee6bda6fee6
MD5 hash:
91e965390d1d90c6e1b746c54b77045f
SHA1 hash:
5314d28fe0c42b11210d4ce5598a5ef93bbc8481
Link:
https://www.unpac.me/results/d182a9fd-a2da-406f-9e6c-6aa49f3736d2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4440634dfab2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4440634dfab2d75d42aa426922863d8629e111e44bf99faa60595ee6bda6fee6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 4440634dfab2d75d42aa426922863d8629e111e44bf99faa60595ee6bda6fee6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715539/
  
Delivery method
Distributed via web download

Comments