MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629
SHA3-384 hash: 2cdfca63ce71d8c516c22324500dabcaa9d0de955334bbbd514ec2093075387558a145a53aac4be6cab655fe4e6f93fc
SHA1 hash: f1443117dd042393e5e0a550a41ed6960f3a709f
MD5 hash: dc41a7601e277c0891f4610b3883fa53
humanhash: sad-wolfram-magazine-connecticut
File name:dc41a7601e277c0891f4610b3883fa53
Download: download sample
Signature Amadey
Create hunting rule
File size:941'056 bytes
First seen:2023-01-06 16:01:02 UTC
Last seen:2023-01-06 18:32:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:RU6Lg8w4CoDdo77aPzblpr84BOVY7Iz3heJ5TRqzkynNFeWvQX+qjJF0qDIcpoy7:mnfjkof+n84Gbg5oTNwWvQuqj3R7
Threatray 8'551 similar samples on MalwareBazaar
TLSH T11C156CBA353632DECD578176C9791C10AD0964FA43078263B1E352AEDA4C5CBFE948F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
CP8b396Iq3nOixp.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 14:20:36 UTC
Tags:
trojan amadey stealer loader
Link:
https://app.any.run/tasks/f1dee0f3-0f77-427a-9892-de695e491239

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350174/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.24108.11972.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/63b845c4b9b1c173752091c8/reports/b9dd3a1d-f7a2-4817-b150-dee22e5668f6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a17c8f96-74c7-4539-be15-00bd60ddbb2b
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146525
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 779258 Sample: WBzpUOGRJA.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 9 other signatures 2->65 10 WBzpUOGRJA.exe 3 2->10         started        14 nbveek.exe 2 2->14         started        16 nbveek.exe 2->16         started        process3 file4 47 C:\Users\user\AppData\...\WBzpUOGRJA.exe.log, ASCII 10->47 dropped 75 Injects a PE file into a foreign processes 10->75 18 WBzpUOGRJA.exe 4 10->18         started        21 WBzpUOGRJA.exe 10->21         started        23 nbveek.exe 14->23         started        25 nbveek.exe 14->25         started        signatures5 process6 file7 43 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 18->43 dropped 45 C:\Users\user\...\nbveek.exe:Zone.Identifier, ASCII 18->45 dropped 27 nbveek.exe 3 18->27         started        process8 signatures9 77 Multi AV Scanner detection for dropped file 27->77 79 Machine Learning detection for dropped file 27->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 27->81 83 Injects a PE file into a foreign processes 27->83 30 nbveek.exe 18 27->30         started        process10 dnsIp11 55 79.137.192.6 PSKSET-ASRU Russian Federation 30->55 49 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 30->49 dropped 51 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 30->51 dropped 57 Creates an undocumented autostart registry key 30->57 35 rundll32.exe 30->35         started        39 schtasks.exe 1 30->39         started        file12 signatures13 process14 dnsIp15 53 192.168.2.5 unknown unknown 35->53 67 System process connects to network (likely due to code injection or exploit) 35->67 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->69 71 Tries to steal Instant Messenger accounts or passwords 35->71 73 2 other signatures 35->73 41 conhost.exe 39->41         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-01-04 04:46:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyoxjxetkndmgcjswkfcfixbto3tia37bc5hwsle76v6y2mweyuq._file
Verdict:
malicious
Similar samples:
4b834ce0a8404956a934c2b2be8441439b5b049179fe94788b5007fda7f2c2fa
Amadey
5aa9b4f53d0741990b4cfe24eb6010ffa9c68bd60100e77e0fa5e6b3dc66a06b
Amadey
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
Amadey
811776b7e88a6f52c43527f71c90981244e6cde742fe45a88c50b15327f5406b
Amadey
913b4c5b56c9810727dd256451bfc8e687905102bd503ec814bc26baef7dec13
Amadey
ed236ec0b877086ffbdd929f5beec3818c032744d9f088c45b3a348f5648d038
Amadey
ed3d540886144d18a9f15c349cff1a89080dbb9e62ad224efbe83307af3171f2
Amadey
f1824fe41b4fb79b857d2a94537bae3a91a6056378f5aa1e59255ab3bbe7b21e
Amadey
f9ffa58b5dd142b4f6e87a1c7fb8915a1d2054c5ffeda62eab078c8f5b1ef644
Amadey
fa5ab0282cfc40c8ccae287f9d347787ab1e4b504abd7af80f854463d2f894c6
Amadey
+ 8'541 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection spyware stealer trojan
Link:
https://tria.ge/reports/230106-tgan6sch2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
Malware Config
C2 Extraction:
79.137.192.6/u83mfdS2/index.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5e9d41a7-a002-4630-a6b7-3c0762b3ac53
Unpacked files
SH256 hash:
fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa
MD5 hash:
6c3fdb2b5d93cf814ea1b6ca05a0efcf
SHA1 hash:
f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5
Link:
https://www.unpac.me/results/e62f4859-cbef-4c4a-819f-56a558be9942/
SH256 hash:
b3af03b153b10a881d6cf900da486654e859cbb474b151568f7399500c96bf94
MD5 hash:
3f67a2d867af0e991b37f12b81bf6ac4
SHA1 hash:
f544f4d07a4dc7f16a4fda1cb2a6a742fa1a7af8
Link:
https://www.unpac.me/results/e62f4859-cbef-4c4a-819f-56a558be9942/
SH256 hash:
88e67febe17869e5af5a8e05b500ed9aff15bd9f424b9d89e5ad1f6190376315
MD5 hash:
26682d6a49ff82877a2878939028175c
SHA1 hash:
c68a0dd31f49fb2cbfcec4d167746a36323cef65
Link:
https://www.unpac.me/results/e62f4859-cbef-4c4a-819f-56a558be9942/
SH256 hash:
476d47c18af4d61e015964f83d97afe33f70b73d6228f83d9b0a554a49301d37
MD5 hash:
b55537271b211dba08a285d0916fe794
SHA1 hash:
9f68f6aae8076c709168087999b54851af7bad2b
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/e62f4859-cbef-4c4a-819f-56a558be9942/
Parent samples :
476d47c18af4d61e015964f83d97afe33f70b73d6228f83d9b0a554a49301d37
4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629
SH256 hash:
359c1951151f6975e1dd6d3b4d543ed825ea2c209b580f0ffd7a49bb2710a36c
MD5 hash:
08e036bc4e504c5f866c04c587470447
SHA1 hash:
610f52f62bb07163bc480c7375720c7339f0e14a
Link:
https://www.unpac.me/results/e62f4859-cbef-4c4a-819f-56a558be9942/
SH256 hash:
4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629
MD5 hash:
dc41a7601e277c0891f4610b3883fa53
SHA1 hash:
f1443117dd042393e5e0a550a41ed6960f3a709f
Link:
https://www.unpac.me/results/e62f4859-cbef-4c4a-819f-56a558be9942/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e1d74dc9353/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2498986/
Cape
Cape
https://www.capesandbox.com/analysis/350174/

Comments


Avatar
zbet commented on 2023-01-06 16:01:06 UTC

url : hxxp://95.111.230.118/system/download/falcon/CP8b396Iq3nOixp.exe