MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827
SHA3-384 hash: 98d23deed24dec0880f5bada70049202fb3b7ae093d7c85b2777803b96e6d7b48f2e5d62a23deb6a3b7ee24f2431ae61
SHA1 hash: 1ba9d78409d3188653fcb003d618b97a276577fa
MD5 hash: a9d35b3546a908c804d177020daefcb0
humanhash: item-lactose-item-kitten
File name:a9d35b3546a908c804d177020daefcb0.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:7'317'396 bytes
First seen:2021-08-14 08:21:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d619eda1a774da262071361b928bb2e4 (2 x Amadey, 1 x Gozi, 1 x FickerStealer)
ssdeep 196608:XPGZKb8EmARpfMWw93Axfy46VqPFUXd8hSXJTkWOg0rmt+kK1:+o7pa9wVaqcd8hSZkWOgOmHq
Threatray 12 similar samples on MalwareBazaar
TLSH T190763307E6B1D0B6E89D3071099D47669F383D388B72A0EB9BD069DD4C306D2AF36257
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://185.215.113.20/gb9fskvS/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.20/gb9fskvS/index.php https://threatfox.abuse.ch/ioc/186019/

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://178.128.183.2/enelmarlavidaesmassabrosa/wango666.exe
Verdict:
Malicious activity
Analysis date:
2021-08-11 18:42:57 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/e36267a4-1e93-4986-8f33-8fb414b777c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179196/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Ursu-9854581-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.34718516.9208.5799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Searching for the window
Sending a UDP request
Launching a process
Creating a file
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/312b2e1d-2c4d-4081-9e21-f2e5aaf3a4a7
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832828
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827/
Threat name:
Win32.Downloader.Deyma
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 11:17:06 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iumt7ikn4yeqroky4pzgr32giv5mxpsnpnrxqsunyf32kecsratq._file
Verdict:
unknown
Similar samples:
0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2
Amadey
3842802e7361274e141d7b500af86e3835472e3cae874bb9e36a5c5d6216e330
Amadey
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
Amadey
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
Amadey
53f84c585648db8c79475af999a87b1ae087531dea1ced7013ace6f9d2bf6722
Amadey
725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c
Amadey
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
Amadey
baba47b989a148f877ffbeb492fe33395c7479a7e044810e1a5ddc8fbd2392e6
Amadey
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
Amadey
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
Amadey
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery suricata upx
Link:
https://tria.ge/reports/210814-gxsfqqn16a/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Amadey CnC Check-In
Unpacked files
SH256 hash:
9b927e1596d6f6ed1718966f75479b29549f938187d5cfd19f75b7e4e37425a2
MD5 hash:
2bab508ddd082c57254d94235d3d93ee
SHA1 hash:
05405ce184cbb25d0ea10b1c7eff97679ab3e395
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
08ff7fbcdd16bf0b31d14e21436544f4db418ecee6ba9c41fcad8049d0a0fa92
MD5 hash:
2bc58e0c586f0e7e1a865d4b4d2c176f
SHA1 hash:
0b5bd20fe9c50acc4f78334785284cebb0940390
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
9f8729ac49e0ccea86fe3b1a9b2c3fae9986ecd09db92853e7a588dbda85bf90
MD5 hash:
54789344b07bed58e43851eca47e2b12
SHA1 hash:
93c561365bc7f1cbb5385d0323ed81044a6ec276
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
f44326a1a2e2fecb4029c19b7a5c0777821cd6bae9b415989d3f8007c15861d5
MD5 hash:
eda6dcf70b3423d40078e5440fad3704
SHA1 hash:
0ddee7bf081fa20e71683d9ab2029ce93a7ee1b3
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
f3c6739b77272c8a5e8c22202d42972d598dfbd7b43614583f52dd31a6bf3cb2
MD5 hash:
59d9ae902520b4cb877315fbeaeefded
SHA1 hash:
8daac0c7319247bc57618de963388e8976df04fd
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
1e02248fc226f1813f9a473aaf8dc9bd264101a6e371ddb73e145c0949834d47
MD5 hash:
4b874a3043d5e3c133f4c35863159638
SHA1 hash:
3a7d21700497d81c41193544b7ea913032d0aa82
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
0b120ee62f9ae12acd9c9994d43579141c5e4ae8ec84acbf227dd57afacc42e4
MD5 hash:
6d94f52bd532c57995a6b011f8b14f50
SHA1 hash:
e0047e9a014405b63aaa05336ec3b9bd173d60e6
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
d838c40848daf87743e96d42f8db18bb66a0b27cff5a48926a85a61c2d3e05b9
MD5 hash:
0bfef61b203054f6fbf08419ffe3f018
SHA1 hash:
ed9d0418507630996eb2c473ec5daf11d185c2c6
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
eb8f046e2404e91748976f409814ffc862c40835d080c06d4b83088515851927
MD5 hash:
abab72ed49b141ad05841d92ffbb425a
SHA1 hash:
058b173204910d6299e8adeba9b1e530502f238f
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
df9e6d69bd7cd95ea18b5b980d91a49e931f6671444da40068e40a80a5c4c91d
MD5 hash:
2b0a45dfeafc8532da91d8d8a5c82a0d
SHA1 hash:
57faec8feac8df0ebad1ce3abf220ea75be92698
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
6486eb74a008109826731bf73e4cfed5acd4feb2b8c8c2825bb2ecdb9da982a5
MD5 hash:
4a9b0f444ac743624a8a975d121c7111
SHA1 hash:
99c8d48075e63e7b5aa80d39bc6e375c5e6d080b
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
5de35a3de224a39ae9e5f68f55711e75a13869e05c11cf02cf026996ab10b53c
MD5 hash:
7ecebf023300b9b55d8c45a4c418e777
SHA1 hash:
f82a08f188eeab23adb988cfdecd9bfb7d5d3f58
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
e3dc7ea9412525f29f4a13d412a8b64d7da0e18f5c506d26df5d958f7667280a
MD5 hash:
5026b281f29df1f4c2ab120a70f3550f
SHA1 hash:
7ae56eb0d2fa8b52f95d1f4ba692cd6caa95545f
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
SH256 hash:
45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827
MD5 hash:
a9d35b3546a908c804d177020daefcb0
SHA1 hash:
1ba9d78409d3188653fcb003d618b97a276577fa
Link:
https://www.unpac.me/results/37f7b749-9c70-4a4e-893c-0c2ba78e064a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/45193fa14de6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179196/

Comments