MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8
SHA3-384 hash: f48f855d7c2ae24fad29a089ce6bed1bac478f96d1a09bdc9bdf023caa859e7987a04086ec8ff48bb1f5e430fbf172ab
SHA1 hash: 178bf24a477a7033cd9c24316ed79715bb482384
MD5 hash: 9f11be6d846dfa9f9c511171b1a8d81b
humanhash: rugby-one-mexico-alabama
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:2'908'688 bytes
First seen:2023-12-12 18:24:07 UTC
Last seen:2023-12-12 20:23:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 30f5d0bde0b3d413a8736fe85268342f (1 x Amadey)
ssdeep 49152:HhdP4bFJtqf1CKKmaDmmEq3Y4jq8kyZq2+BS7SHZoEH+u4FHV4BAN3I:BdPuqaDVEsY2jkyZ4tHZeHX+
Threatray 16 similar samples on MalwareBazaar
TLSH T12AD50151A7F98508F2F77B706DBD42D06E39BC65EE35DE1F2225290E0871A50DA70B23
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 595d5919c6c8c9c8 (1 x Amadey)
Reporter jstrosch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-12-12 17:43:31 UTC
Tags:
lumma stealer amadey botnet loader
Link:
https://app.any.run/tasks/ec45f8d1-9b47-4b8a-9659-b1a000aeeae5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466991/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.6406.32679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file
Delayed reading of the file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching the process to change network settings
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control expand explorer lolbin nymaim packed packed replace shell32 stealer themidawinlicense
Link:
https://www.filescan.io/uploads/6578a58056d08f7811af8e3e/reports/ea1d2389-6a6e-490b-89fd-23453afd9e42/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dbff3af-3094-45b3-9116-d55de24a5458
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360693
Behaviour
Behavior Graph:
n/a
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 18:25:04 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
18 of 23 (78.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i47n3bk3naxictymvkfpys66vzl5glx2ygjwvyd7cllamros6pma._file
Verdict:
malicious
Similar samples:
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
Amadey
473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8
Amadey
5d3bdd91e0b184716f9c229e5bc3d6e7f0c349e1db0a570fe6032b7bd651059a
Amadey
92342e62a3f51b7e205863f58b6a0e0145c4fecc31d40049b91e97ed0bb710ca
Amadey
eec5c05b67d63da5fb1d73b2b33b650c464bb0b9a080b5d556a6a85d20b17c54
Amadey
fd607c65470433fd57bad5fa9b30a46bbfc5dfd918f56327e243646c9548681e
Amadey
+ 6 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/231212-w2lnaahggj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://185.172.128.5
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/10a14fad-5b1c-403f-afe0-43f7d2d5db0f/
SH256 hash:
f242a2306ca5379fb29786632113079e817a7cff3fabcc4b26dae92d5f473f6c
MD5 hash:
bf96cc0128701df18d1965fa19b2ff93
SHA1 hash:
ad87900e180429d27acc818e7ffa707572809b2d
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
win_amadey_bytecodes_oct_2023
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/10a14fad-5b1c-403f-afe0-43f7d2d5db0f/
SH256 hash:
473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8
MD5 hash:
9f11be6d846dfa9f9c511171b1a8d81b
SHA1 hash:
178bf24a477a7033cd9c24316ed79715bb482384
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/10a14fad-5b1c-403f-afe0-43f7d2d5db0f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 473edd855b682e814f0caa8afc4bdeae57d32efac1936ae07f12d60645d2f3d8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2737075/
  
URLhaus
https://urlhaus.abuse.ch/url/2739361/
  
URLhaus
https://urlhaus.abuse.ch/url/2733669/
Cape
Cape
https://www.capesandbox.com/analysis/466991/

Comments