MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
SHA3-384 hash: 16b3581e02c1eee53f8ece051b6e4177053da7c9c7241b8168006370bac306df5f73a8e6568e9b3dc125a126e603c426
SHA1 hash: cd856459027e73b316e0998d0ed9823dcc3b272a
MD5 hash: abaf1e6e0cadc624156319232e349005
humanhash: purple-charlie-kitten-solar
File name:abaf1e6e0cadc624156319232e349005
Download: download sample
Signature Amadey
Create hunting rule
File size:2'722'816 bytes
First seen:2024-03-30 07:44:55 UTC
Last seen:2024-03-30 09:27:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:KefMkcNeKO0lRR85uZ+C8X0muID5V8LJsnjP3QJop:xRQeKvlTgEm32JsjPgJop
Threatray 2'634 similar samples on MalwareBazaar
TLSH T1C3C5CFDFED94AB1CF98B3EFA8322231C5EB46C1B71E3B5587A0515E405026937386CE6
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
355
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d.exe
Verdict:
Malicious activity
Analysis date:
2024-03-30 07:45:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d821a7d9-2fdc-4819-902c-1b0d31d24ccb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
anti-vm net_reactor packed packed
Link:
https://www.filescan.io/uploads/6607c315d463a7b04773a606/reports/405ebc0c-aaf9-437b-ba90-5e9b2f015892/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77558a87-8c7b-45ef-b0f7-12c81115fbeb
Result
Threat name:
Amadey, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417748
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates files in the system32 config directory
Drops large PE files
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample uses string decryption to hide its real strings
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417748 Sample: BzUlbm2Ytw.exe Startdate: 30/03/2024 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Found malware configuration 2->57 59 Antivirus detection for URL or domain 2->59 61 20 other signatures 2->61 8 powershell.exe 2 15 2->8         started        11 BzUlbm2Ytw.exe 2 6 2->11         started        process3 file4 69 Writes to foreign memory regions 8->69 71 Modifies the context of a thread in another process (thread injection) 8->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 8->73 75 Injects a PE file into a foreign processes 8->75 14 dllhost.exe 1 8->14         started        17 conhost.exe 8->17         started        49 C:\Users\user\AppData\...\$77codescanner.exe, PE32 11->49 dropped 51 C:\Users\user\AppData\Local\Temp\$77f2a0f9, PE32 11->51 dropped 53 C:\Users\user\AppData\Local\Temp\$778be5ae, PE32 11->53 dropped 77 Creates autostart registry keys with suspicious names 11->77 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->79 81 Drops large PE files 11->81 19 $77f2a0f9 11->19         started        21 $778be5ae 1 11->21         started        signatures5 process6 signatures7 91 Injects code into the Windows Explorer (explorer.exe) 14->91 93 Contains functionality to inject code into remote processes 14->93 95 Writes to foreign memory regions 14->95 101 3 other signatures 14->101 23 lsass.exe 13 14->23 injected 27 $77codescanner.exe 14->27         started        29 svchost.exe 8 14->29         started        33 27 other processes 14->33 97 Multi AV Scanner detection for dropped file 19->97 99 Machine Learning detection for dropped file 19->99 31 WerFault.exe 2 16 19->31         started        process8 file9 45 C:\Users\user\AppData\Roaming\...\Preferred, DOS 23->45 dropped 83 Installs new ROOT certificates 23->83 85 Creates files in the system32 config directory 23->85 87 Writes to foreign memory regions 23->87 35 $77codescanner.exe 2 23->35         started        39 svchost.exe 23->39 injected 47 C:\Users\user\AppData\Local\Temp\$77b82694, PE32 27->47 dropped 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->89 41 WerFault.exe 2 29->41         started        signatures10 process11 file12 43 C:\Users\user\AppData\Local\Temp\$779dc45a, PE32 35->43 dropped 63 Antivirus detection for dropped file 35->63 65 Machine Learning detection for dropped file 35->65 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->67 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-03-30 07:45:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jp2q2b4kw3z474ix4qxhp3prmlio5f3yte5vqwbecv4zhrc4saoq._file
Verdict:
malicious
Similar samples:
495c76a1f5b27c1d1dd4c02a2d6b14c33f02f7fff1d4720e9f751055f9dd9a51
Amadey
4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
Amadey
94e31d208cd89ff78bffbd2737d2b629710a46dde9288549e6027008debf7461
Amadey
d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc
Amadey
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
Amadey
df18a66e0d7dac7371e4371005a83e4735f5e22377b28f00bb0f41a3feee92a5
Amadey
+ 2'624 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:zgrat persistence rat trojan
Link:
https://tria.ge/reports/240330-jle5cabc3t/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Amadey
Detect ZGRat V1
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Malware Config
C2 Extraction:
http://cjware.ru
Unpacked files
SH256 hash:
ea3187efd04212d602f9bc4d643fb70b97631bab5f5dd983f87f328eb0320d29
MD5 hash:
53db510d81ed002c7cc4e866ec29db87
SHA1 hash:
c7767245984ea6e563f5717da6008d8e74f97a9d
Link:
https://www.unpac.me/results/bef97093-ae0c-4e8f-b0c7-62c42bee5017/
SH256 hash:
434daca36d02410a1e12365eefe415cc6565f53a7538b7fe941572d708c2b884
MD5 hash:
2c02ea5998d90cac660103ddfccdf04f
SHA1 hash:
4b7c60e068563aed2d85be39d7856d726052f32b
Link:
https://www.unpac.me/results/bef97093-ae0c-4e8f-b0c7-62c42bee5017/
SH256 hash:
a3a9ab7a11220833f929dcd26ea91c26b4f5815c53dce1fc79c9a77a2031faaf
MD5 hash:
8d47464a62a0956c0d11a04a9417b2ce
SHA1 hash:
42e249276c23cbfa170b7f07f13483b249cd7697
Link:
https://www.unpac.me/results/bef97093-ae0c-4e8f-b0c7-62c42bee5017/
SH256 hash:
4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
MD5 hash:
abaf1e6e0cadc624156319232e349005
SHA1 hash:
cd856459027e73b316e0998d0ed9823dcc3b272a
Link:
https://www.unpac.me/results/bef97093-ae0c-4e8f-b0c7-62c42bee5017/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_be403e3c
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2796251/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-03-30 07:44:56 UTC

url : hxxps://depot.4d2.org/pr1KoYGyugcP.exe