MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f75795df9a479ac3958ad0120c45a52846772767fd41685d94a66bdf8cda3e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f75795df9a479ac3958ad0120c45a52846772767fd41685d94a66bdf8cda3e8
SHA3-384 hash: 63f6cf1c0d5c41f444f42ecfeb68040f1f5a82ad0ac54ee4f415399707065cfa484bfeee06c80ea63ca82003287e1a66
SHA1 hash: 530b6ab6f6db2492058fef11f5fe853ac4a1e545
MD5 hash: ba371e7425e9d6823f3007f26bcb8753
humanhash: music-carolina-three-early
File name:ba371e7425e9d6823f3007f26bcb8753.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:227'840 bytes
First seen:2021-12-03 17:01:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b56eb425bb7dbd4f686b84bebc7ef49 (6 x Amadey)
ssdeep 6144:U4sL1BdtBjqEPlnvWGLMs3LssdFW7uys1/:U9RzlnvrosLTdFW7uys
Threatray 195 similar samples on MalwareBazaar
TLSH T1E12418643956C032D660A1B219F57FF6C19DAD15ABB149EF2B800FB6C6222F37930D39
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://w.makemark.xyz/fkwdoXScn2/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://w.makemark.xyz/fkwdoXScn2/index.php https://threatfox.abuse.ch/ioc/258956/

Intelligence

File Origin
# of uploads :
1
# of downloads :
491
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ba371e7425e9d6823f3007f26bcb8753.exe
Verdict:
Malicious activity
Analysis date:
2021-12-03 17:07:46 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/11a66863-64ea-41ad-939e-3fecfed6e886

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211101/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.4674.7534.12465.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Adding an access-denied ACE
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Delayed reading of the file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  2/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/681/overview
Behaviour
CheckUsername
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey greyware zusy
Link:
https://www.filescan.io/uploads/61aa4d8ffa72c81b5b09aa9e/reports/d007a083-96e1-4aee-b251-fc3ba34007fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/300b1630-061c-481f-9a08-c70b553317c2
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901041
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Schedule system process
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533519 Sample: Q6nqz4O3vi.exe Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 56 s.discoverahuge.xyz 2->56 58 x.eredirected.xyz 2->58 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Antivirus detection for URL or domain 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 74 8 other signatures 2->74 9 Q6nqz4O3vi.exe 4 2->9         started        13 dllhost.exe 2->13         started        15 dllhost.exe 2->15         started        17 dllhost.exe 2->17         started        signatures3 72 System process connects to network (likely due to code injection or exploit) 56->72 process4 file5 54 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 9->54 dropped 86 Contains functionality to inject code into remote processes 9->86 19 dllhost.exe 14 9->19         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        27 2 other processes 9->27 signatures6 process7 dnsIp8 60 s.discoverahuge.xyz 19->60 62 x.eredirected.xyz 19->62 64 4 other IPs or domains 19->64 76 Antivirus detection for dropped file 19->76 78 System process connects to network (likely due to code injection or exploit) 19->78 80 Multi AV Scanner detection for dropped file 19->80 84 2 other signatures 19->84 29 cmd.exe 1 19->29         started        31 schtasks.exe 1 19->31         started        33 conhost.exe 23->33         started        41 2 other processes 23->41 35 conhost.exe 25->35         started        43 2 other processes 25->43 37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        45 2 other processes 27->45 signatures9 82 Performs DNS queries to domains with low reputation 62->82 process10 process11 47 reg.exe 1 29->47         started        50 conhost.exe 29->50         started        52 conhost.exe 31->52         started        signatures12 88 Creates an undocumented autostart registry key 47->88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f75795df9a479ac3958ad0120c45a52846772767fd41685d94a66bdf8cda3e8/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 09:36:53 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j52xsxpzur42yokyvuasbrc2kkcgo4twp7kbnbozjjtl36gnupua._file
Verdict:
malicious
Similar samples:
250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46
Amadey
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112
Amadey
9820500aae4c3b3b5ab38a63f9776a75cfb2203a20798682207aee9e6526aba8
Amadey
9c2b3a7c5abdcd9cfbafc27cddcdd4054cea214e15d3a1666cf407d2479a1f7e
Amadey
c394d2204e02ef3a37d2760d04aa64819fcf7bb5186764e5a48f052379b3a10c
Amadey
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e
Amadey
ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2
Amadey
+ 185 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/211203-vj5g1ahagn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Amadey
Malware Config
C2 Extraction:
w.makemark.xyz/fkwdoXScn2/index.php
s.discoverahuge.xyz/fkwdoXScn2/index.php
x.eredirected.xyz/fkwdoXScn2/index.php
Unpacked files
SH256 hash:
4f75795df9a479ac3958ad0120c45a52846772767fd41685d94a66bdf8cda3e8
MD5 hash:
ba371e7425e9d6823f3007f26bcb8753
SHA1 hash:
530b6ab6f6db2492058fef11f5fe853ac4a1e545
Link:
https://www.unpac.me/results/0690cf0b-2840-4bb4-a2ab-aa97d69482fb/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4f75795df9a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f75795df9a479ac3958ad0120c45a52846772767fd41685d94a66bdf8cda3e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211101/

Comments