MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615
SHA3-384 hash: 631337be151868a0cd7497fa4663e674a60e3a66ff227bc57eb303e0c0c8d66153dd85cd069e306a885f1cd32c3f68e9
SHA1 hash: 156c9d22af140c41ce69df70b66f36805debca57
MD5 hash: f991c9b58f3db479db70d092e89375e5
humanhash: mars-missouri-finch-romeo
File name:f991c9b58f3db479db70d092e89375e5.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'615'872 bytes
First seen:2023-10-29 16:50:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:FwmPPjr4jDUbgvpSTPaDZ/sEOhPv66gG8mzWKBkT:3PH48bcYaDJdI6FGFzRK
Threatray 2'641 similar samples on MalwareBazaar
TLSH T1DB752352EAEDD4BBD0762BF024FA2B430B367C755E34D31A265A980758B33C0987179D
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
194.49.94.11:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456916/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching a service
Сreating synchronization primitives
Creating a file
Creating a window
Launching cmd.exe command interpreter
Running batch commands
Blocking the Windows Defender launch
Disabling the operating system update service
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653e8d776be5439aa5cd855e/reports/688206d2-8dca-4e29-99a0-d37128ebfc76/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09a6947d-d55e-402a-aea9-b3be7e3f50b0
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333874
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333874 Sample: Z3W8aSou94.exe Startdate: 29/10/2023 Architecture: WINDOWS Score: 100 203 Multi AV Scanner detection for domain / URL 2->203 205 Found malware configuration 2->205 207 Malicious sample detected (through community Yara rule) 2->207 209 20 other signatures 2->209 13 Z3W8aSou94.exe 1 4 2->13         started        16 explothe.exe 2->16         started        process3 file4 157 C:\Users\user\AppData\Local\...\Bs1Nd20.exe, PE32 13->157 dropped 159 C:\Users\user\AppData\Local\...\7Fz9AT32.exe, PE32 13->159 dropped 18 Bs1Nd20.exe 1 4 13->18         started        process5 file6 123 C:\Users\user\AppData\Local\...\LU6dw80.exe, PE32 18->123 dropped 125 C:\Users\user\AppData\Local\...\6MF7iO4.exe, PE32 18->125 dropped 211 Antivirus detection for dropped file 18->211 213 Machine Learning detection for dropped file 18->213 22 LU6dw80.exe 1 4 18->22         started        26 6MF7iO4.exe 18->26         started        signatures7 process8 file9 143 C:\Users\user\AppData\Local\...\mt6aT19.exe, PE32 22->143 dropped 145 C:\Users\user\AppData\Local\...\5dr9zm9.exe, PE32 22->145 dropped 255 Antivirus detection for dropped file 22->255 257 Machine Learning detection for dropped file 22->257 28 mt6aT19.exe 1 4 22->28         started        32 5dr9zm9.exe 22->32         started        signatures10 process11 file12 151 C:\Users\user\AppData\Local\...\UZ3JI22.exe, PE32 28->151 dropped 153 C:\Users\user\AppData\Local\...\4pK530lL.exe, PE32 28->153 dropped 263 Antivirus detection for dropped file 28->263 265 Machine Learning detection for dropped file 28->265 34 UZ3JI22.exe 1 4 28->34         started        37 4pK530lL.exe 28->37         started        155 C:\Users\user\AppData\Local\...\explothe.exe, PE32 32->155 dropped 40 HW4at4MN.exe 32->40         started        42 explothe.exe 32->42         started        signatures13 process14 dnsIp15 127 C:\Users\user\AppData\Local\...\cM1ZG35.exe, PE32 34->127 dropped 129 C:\Users\user\AppData\Local\...\3xn79as.exe, PE32 34->129 dropped 45 3xn79as.exe 34->45         started        48 cM1ZG35.exe 1 4 34->48         started        237 Writes to foreign memory regions 37->237 239 Allocates memory in foreign processes 37->239 241 Injects a PE file into a foreign processes 37->241 51 AppLaunch.exe 37->51         started        131 C:\Users\user\AppData\Local\...\bp2Hd6eX.exe, PE32 40->131 dropped 133 C:\Users\user\AppData\Local\...\4xn070Pi.exe, PE32 40->133 dropped 243 Antivirus detection for dropped file 40->243 245 Machine Learning detection for dropped file 40->245 54 bp2Hd6eX.exe 40->54         started        175 77.91.124.1 ECOTEL-ASRU Russian Federation 42->175 135 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 42->135 dropped 137 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 42->137 dropped 247 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->247 249 Creates an undocumented autostart registry key 42->249 251 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->251 253 Uses schtasks.exe or at.exe to add and modify task schedules 42->253 56 cmd.exe 42->56         started        58 schtasks.exe 42->58         started        60 rundll32.exe 42->60         started        file16 signatures17 process18 dnsIp19 267 Multi AV Scanner detection for dropped file 45->267 269 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->269 271 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->271 279 3 other signatures 45->279 62 explorer.exe 63 31 45->62 injected 115 C:\Users\user\AppData\Local\...\2OF2267.exe, PE32 48->115 dropped 117 C:\Users\user\AppData\Local\...\1yF68FL7.exe, PE32 48->117 dropped 67 1yF68FL7.exe 48->67         started        69 2OF2267.exe 48->69         started        173 77.91.124.86 ECOTEL-ASRU Russian Federation 51->173 273 Found many strings related to Crypto-Wallets (likely being stolen) 51->273 119 C:\Users\user\AppData\Local\...\xW4IR3EP.exe, PE32 54->119 dropped 121 C:\Users\user\AppData\Local\...\3iC1RS56.exe, PE32 54->121 dropped 275 Antivirus detection for dropped file 54->275 277 Machine Learning detection for dropped file 54->277 71 xW4IR3EP.exe 54->71         started        73 Conhost.exe 54->73         started        75 conhost.exe 56->75         started        77 cmd.exe 56->77         started        81 5 other processes 56->81 79 conhost.exe 58->79         started        file20 signatures21 process22 dnsIp23 181 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 62->181 183 77.91.68.249 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 62->183 185 3 other IPs or domains 62->185 161 C:\Users\user\AppData\Local\Temp\F055.exe, PE32 62->161 dropped 163 C:\Users\user\AppData\Local\TempCCA.exe, PE32 62->163 dropped 165 C:\Users\user\AppData\Local\Temp\CA4D.exe, PE32 62->165 dropped 171 9 other malicious files 62->171 dropped 187 System process connects to network (likely due to code injection or exploit) 62->187 189 Benign windows process drops PE files 62->189 191 Found many strings related to Crypto-Wallets (likely being stolen) 62->191 83 AB45.exe 62->83         started        87 B376.exe 62->87         started        89 B5A9.exe 62->89         started        100 4 other processes 62->100 193 Multi AV Scanner detection for dropped file 67->193 195 Contains functionality to inject code into remote processes 67->195 197 Writes to foreign memory regions 67->197 91 AppLaunch.exe 9 1 67->91         started        199 Allocates memory in foreign processes 69->199 201 Injects a PE file into a foreign processes 69->201 93 AppLaunch.exe 12 69->93         started        167 C:\Users\user\AppData\Local\...\2zj496sx.exe, PE32 71->167 dropped 169 C:\Users\user\AppData\Local\...\1Yq79PT4.exe, PE32 71->169 dropped 96 1Yq79PT4.exe 71->96         started        98 2zj496sx.exe 71->98         started        file24 signatures25 process26 dnsIp27 139 C:\Users\user\AppData\Local\...\zY3mS2dr.exe, PE32 83->139 dropped 141 C:\Users\user\AppData\Local\...\6oI55WO.exe, PE32 83->141 dropped 215 Antivirus detection for dropped file 83->215 217 Machine Learning detection for dropped file 83->217 102 zY3mS2dr.exe 83->102         started        219 Multi AV Scanner detection for dropped file 87->219 221 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 91->221 223 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 91->223 225 Modifies windows update settings 91->225 235 2 other signatures 91->235 179 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 93->179 227 Writes to foreign memory regions 96->227 229 Allocates memory in foreign processes 96->229 231 Injects a PE file into a foreign processes 96->231 106 AppLaunch.exe 96->106         started        233 Tries to harvest and steal browser information (history, passwords, etc) 98->233 108 chrome.exe 100->108         started        111 conhost.exe 100->111         started        113 chrome.exe 100->113         started        file28 signatures29 process30 dnsIp31 147 C:\Users\user\AppData\Local\...\HW4at4MN.exe, PE32 102->147 dropped 149 C:\Users\user\AppData\Local\...\5ic02fg.exe, PE32 102->149 dropped 259 Antivirus detection for dropped file 102->259 261 Machine Learning detection for dropped file 102->261 177 239.255.255.250 unknown Reserved 108->177 file32 signatures33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-10-29 16:51:05 UTC
File Type:
PE (Exe)
Extracted files:
226
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4pc4rwe5zo4faab57mptwfexxn3lhop5r336xkkysj7mmlfcykq._file
Verdict:
malicious
Similar samples:
1919d938556e92e5bc7550a58904295056000bbc1c7ff9c39d778d810036d7cf
Amadey
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
Amadey
7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce
Amadey
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
Amadey
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
Amadey
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
Amadey
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
Amadey
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
Amadey
bb1b75ca2b1cf87a535caf84537badae8ea32f9565c45a8eb955002d708cf258
Amadey
ce78b18767d7895f03c85d5993742c8b0b02c2b9a64db086191ae434f9991d19
Amadey
+ 2'631 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:raccoon family:redline family:smokeloader family:zgrat botnet:6a6a005b9aa778f606280c5fa24ae595 botnet:grome botnet:kinza botnet:up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan
Link:
https://tria.ge/reports/231029-vcs6dsge4w/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
Detect ZGRat V1
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://host-file-host6.com/
http://host-host-file8.com/
http://195.123.218.98:80
http://31.192.23
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/e08fff42-ad24-41ae-a30a-236b8a76a02b/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
20856a425b7b619a6738d69d93f0dac8fff37d9ec95697c9e4f282a8e46291f7
MD5 hash:
c2a1344b4a64f1160e45b22d90519b7f
SHA1 hash:
a343d35b844d606abd506a8197f59ad49a183c90
Link:
https://www.unpac.me/results/e08fff42-ad24-41ae-a30a-236b8a76a02b/
SH256 hash:
24332606b01c5c6551bcfb635aba7cfdb61ef6e41543dd1f16625c26da2b743f
MD5 hash:
e76854c1e8a42fb0d17fc9dcc39fccdc
SHA1 hash:
8c1075cdfc4d2f88b79bd8b13951de3707ff8d36
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e08fff42-ad24-41ae-a30a-236b8a76a02b/
Parent samples :
471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615
478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b
SH256 hash:
9ff89fa951d0a1d69ca653c7f06160c883652f46e547b36fa6805101cadb0469
MD5 hash:
ba0e752d239e4ace1493b4f66fb33a89
SHA1 hash:
ea3c2e2d1bed97f33c849e52d3bf8362c43fd6fc
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/e08fff42-ad24-41ae-a30a-236b8a76a02b/
Parent samples :
a28bb1154b31aa69df4fd34b62d60ef05edf243aca316ab5fbed9d863e88d5b5
bb47c1c398c086e214e24efc10783730961512ad69a2f0b6619c72ad4c555b38
471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615
5d93a9281bf0948f49e9338435a1099ea347af058718bd1cc536da0491cb40d2
SH256 hash:
ae6d6c43b41c9f0fe3b6934362abc791f10d84b325def4c7ac05e43ee8c58a63
MD5 hash:
fa2709f1f36cc765825efd3b99cece5f
SHA1 hash:
d9f71fe217f43b183c08ae3087bedb47bfe40faa
Link:
https://www.unpac.me/results/e08fff42-ad24-41ae-a30a-236b8a76a02b/
SH256 hash:
194052638c68b6591dda6546589af2e3066db0b432b751ce14eabe8f8b1ea807
MD5 hash:
4025e73be5ec4b058ed31c0579cd9355
SHA1 hash:
60c25426631fe44397b530b6c6414cad522a3b23
Link:
https://www.unpac.me/results/e08fff42-ad24-41ae-a30a-236b8a76a02b/
SH256 hash:
471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615
MD5 hash:
f991c9b58f3db479db70d092e89375e5
SHA1 hash:
156c9d22af140c41ce69df70b66f36805debca57
Link:
https://www.unpac.me/results/e08fff42-ad24-41ae-a30a-236b8a76a02b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/471e2e46c4ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2722824/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/456916/

Comments