MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03
SHA3-384 hash: 9960d5ff90245068037eb7b2b2a993de676d5e9752a13b2d19aea6ee39326d23ac9dcee8507175e2c71d928b2ffa2ad2
SHA1 hash: 3d08a22564db03360119cfc7c0dfc38357a39000
MD5 hash: def8000d24255c6308da5c9be0906455
humanhash: mobile-north-oregon-michigan
File name:def8000d24255c6308da5c9be0906455
Download: download sample
Signature Amadey
Create hunting rule
File size:1'083'522 bytes
First seen:2024-01-18 05:40:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a602c5f081ba454f5c1df2cfd85b0b3a (2 x RedLineStealer, 1 x Amadey, 1 x AsyncRat)
ssdeep 24576:+eWeHj+UtitmFryXUJkpOJ8MAStxuJpuAZgUxLDWh:OwjDwFzMAqxuf0UNWh
TLSH T1E335124278E18031E5B30B309AB7BB114A7DBD614F60CD5F739C05AA4F769C0E9297AB
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon ccb2694d65698edc (1 x Amadey, 1 x LummaStealer, 1 x Rhadamanthys)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471416/
Detection(s):
Win.Trojan.QuasarRAT-10018765-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hook installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65a8b9f18369fab94df069a2/reports/62a36d96-445e-48ab-bcc3-561380006ddc/overview
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebda7b77-5c76-4575-bdf1-15cb744c5c61
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1376516
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Amadey
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1376516 Sample: AqpGH70EhK.exe Startdate: 18/01/2024 Architecture: WINDOWS Score: 100 41 185.196.10.34 SIMPLECARRIERCH Switzerland 2->41 43 oWqnOflySzGIbCKHaKLL.oWqnOflySzGIbCKHaKLL 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Amadey 2->49 51 3 other signatures 2->51 9 AqpGH70EhK.exe 12 2->9         started        13 Dctooux.exe 5 10 2->13         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\Temp\...\Lamp, PE32 9->35 dropped 55 Contains functionality to register a low level keyboard hook 9->55 15 cmd.exe 1 9->15         started        18 conhost.exe 9->18         started        signatures6 process7 signatures8 61 Uses ping.exe to sleep 15->61 63 Drops PE files with a suspicious file extension 15->63 65 Uses ping.exe to check the status of other devices and networks 15->65 20 cmd.exe 1 15->20         started        23 conhost.exe 15->23         started        process9 signatures10 53 Uses ping.exe to sleep 20->53 25 Wma.pif 4 20->25         started        29 cmd.exe 2 20->29         started        31 cmd.exe 2 20->31         started        33 6 other processes 20->33 process11 file12 37 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 25->37 dropped 57 Creates an undocumented autostart registry key 25->57 59 Found API chain indicative of sandbox detection 25->59 39 C:\Users\user\AppData\Local\Temp\...\Wma.pif, PE32 29->39 dropped signatures13
Score:
61%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-01-17 22:41:51 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kx3kcz7jufv4sd3abgqqlpdeqtbzngyoulexm6vzwtao66f3nmbq._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/240118-gde39sdfej/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
http://185.196.10.34
Unpacked files
SH256 hash:
bea0b025ee2da35ba3f5656d1250894c5dbab582a96b7fb315bda0e56091ef38
MD5 hash:
f3daeb784bd9bcc3f1f3a84a0a8797f9
SHA1 hash:
fd0df506bfbe5e2d6784ead7b62392285ca04c5d
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/155b1661-5afb-4b1b-88e2-8f5398672672/
SH256 hash:
55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03
MD5 hash:
def8000d24255c6308da5c9be0906455
SHA1 hash:
3d08a22564db03360119cfc7c0dfc38357a39000
Link:
https://www.unpac.me/results/155b1661-5afb-4b1b-88e2-8f5398672672/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 55f6a167e9a16bc90f6009a105bc6484c3969b0ea2c9767ab9b4c0ef78bb6b03

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2749268/
Cape
Cape
https://www.capesandbox.com/analysis/471416/

Comments


Avatar
zbet commented on 2024-01-18 05:40:59 UTC

url : hxxp://185.196.10.146/variousstored.exe