MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e
SHA3-384 hash: 555d84ae0e91bbac6af5d306ad1eefa1a0acce7dc1e9c07080c7bdc7e694f76348f256194dbd20db1b0b8df9c35ea598
SHA1 hash: 5263310e8e4fe7984ca29d9a06accd0d237c208c
MD5 hash: 33f3040b744a6d2a175866104e3953e4
humanhash: nitrogen-red-nine-maryland
File name:SecuriteInfo.com.Win32.MalwareX-gen.10870.27618
Download: download sample
Signature Amadey
Create hunting rule
File size:1'849'856 bytes
First seen:2024-08-10 17:25:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 24576:XWhAat7ZeOLYOKxBMfRR3JPf77cJCCDQzIP2LBq4rHsq6N53:GhAa5YfuR3N/4DmIPSBXrMq6b3
TLSH T13C85D0A9B784FC48C22D263980EF513C217A87811907DB89D4B7ADB27773EC63A5194F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 105212b92954e413 (1 x Amadey)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.10870.27618
Verdict:
Malicious activity
Analysis date:
2024-08-10 17:33:04 UTC
Tags:
darktortilla stealer metastealer
Link:
https://app.any.run/tasks/fe417da2-571a-4e84-a843-f29931369321

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.10870.27618.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b7a2bfaa5b40be0a9ff801
Tags:
Generic Static Pretoria
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin obfuscated vbnet
Link:
https://www.filescan.io/uploads/66b7a2b69d37dfa04d27231b/reports/5eae64fa-ae4d-406a-b86d-0851f5ff3115/overview
Verdict:
Malicious
Labled as:
MSIL.Pretoria.Generic
Link:
https://www.hybrid-analysis.com/sample/52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b03028a2-983e-4781-b6a1-20d3fc58e3b3
Result
Threat name:
Amadey, DarkTortilla, PureLog Stealer, R
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1491047
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1491047 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 10/08/2024 Architecture: WINDOWS Score: 100 42 185.215.113.101 WHOLESALECONNECTIONSNL Portugal 2->42 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 13 other signatures 2->60 9 SecuriteInfo.com.Win32.MalwareX-gen.10870.27618.exe 3 2->9         started        13 Hkbsse.exe 1 2->13         started        15 Hkbsse.exe 1 2->15         started        signatures3 process4 file5 40 SecuriteInfo.com.W...10870.27618.exe.log, ASCII 9->40 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->66 68 Injects a PE file into a foreign processes 9->68 17 AddInProcess32.exe 3 9->17         started        20 AddInProcess32.exe 9->20         started        22 AddInProcess32.exe 4 9->22         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        signatures6 process7 file8 44 Writes to foreign memory regions 17->44 46 Allocates memory in foreign processes 17->46 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->48 50 Injects a PE file into a foreign processes 17->50 29 InstallUtil.exe 4 17->29         started        52 Contains functionality to inject code into remote processes 20->52 38 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 22->38 dropped 32 Hkbsse.exe 2 22->32         started        signatures9 process10 signatures11 70 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->70 34 conhost.exe 29->34         started        36 conhost.exe 32->36         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e/
Threat name:
ByteCode-MSIL.Trojan.Pretoria
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 18:16:18 UTC
AV detection:
8 of 20 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kj3uz5qy2geeh7dbp2togqff7mpdmvm5nqgdoldmkikkwh5w4nha._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:0163e2 credential_access discovery spyware stealer trojan
Link:
https://tria.ge/reports/240810-vzv89steke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
Amadey
Malware Config
C2 Extraction:
http://185.215.113.101
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/31c26e29-ee9d-459f-87cb-fbe397752560
Unpacked files
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/981f27ef-b1b5-4e01-9f70-3be65eb76e58/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/981f27ef-b1b5-4e01-9f70-3be65eb76e58/
SH256 hash:
2db82e9b91b1ccb1957b4e06ec49bfb0096e973213fc1786de1bbe3162f5df5a
MD5 hash:
27dea42a70bd7e948f1171ce873878a1
SHA1 hash:
b87051d51479c093cdf3e721acea4fd8b940b1e5
Link:
https://www.unpac.me/results/981f27ef-b1b5-4e01-9f70-3be65eb76e58/
SH256 hash:
a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7
MD5 hash:
e36a340568cf42594f0c60ef1ae6a0b1
SHA1 hash:
ac38de5564953b63ba3a221ba218364f78d79375
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/981f27ef-b1b5-4e01-9f70-3be65eb76e58/
Parent samples :
a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7
52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e
SH256 hash:
a0593b3a2a2dfaa2c4c4d78065a4c01953a2e74d0c8a2663b3ae5ebe3594ecd8
MD5 hash:
d5e22a1a648bc1269e9b6a10f3695820
SHA1 hash:
97f085c5d42ead3747c6701e60df3cabeb42713d
Detections:
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/981f27ef-b1b5-4e01-9f70-3be65eb76e58/
SH256 hash:
4605d97b7946e93dfeb01318c7762dee851f0065719e8d71e6645fcfdcbaac15
MD5 hash:
798dbe9297554bc05392520e04b0ea26
SHA1 hash:
32bbdbc0fae71c8a0b6db0a45ca148930a5c50c3
Link:
https://www.unpac.me/results/981f27ef-b1b5-4e01-9f70-3be65eb76e58/
SH256 hash:
52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e
MD5 hash:
33f3040b744a6d2a175866104e3953e4
SHA1 hash:
5263310e8e4fe7984ca29d9a06accd0d237c208c
Link:
https://www.unpac.me/results/981f27ef-b1b5-4e01-9f70-3be65eb76e58/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52774cf618d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3099907/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments