MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 562f0db742e6af6f4b12800d3b2b7d918eab8e467b00cf0dfaaf1292452b48a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 562f0db742e6af6f4b12800d3b2b7d918eab8e467b00cf0dfaaf1292452b48a3
SHA3-384 hash: 62420b4209bb42aa57b0314b54806345ee59c9551ace0a35d7e3956517ef472c4429d075f1c63619b3da4f5f354e49b4
SHA1 hash: f5f40205e5bac70f5b4033a9777de14868b6298f
MD5 hash: 30940c24946f655b1badd8508088fa97
humanhash: oregon-cola-glucose-friend
File name:30940c24946f655b1badd8508088fa97.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:31'304 bytes
First seen:2023-07-19 14:10:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW
Threatray 4'731 similar samples on MalwareBazaar
TLSH T1E1E2F10E1AA4A0DDE59651B280C39E77EA8433D314A673C8C173AFFDD787F81B591268
TrID 42.6% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
77.91.68.68:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
30940c24946f655b1badd8508088fa97.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 14:11:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bfbb42ee-f3d2-43f0-8311-75eae2c771da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/425118/
Detection(s):
SecuriteInfo.com.Trojan.Heur.beW@JuwNMY.13899.17887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed xpack
Link:
https://www.filescan.io/uploads/64b7eef791e7270521ea8372/reports/1784e9db-b7ac-4a97-b810-352404305711/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/562f0db742e6af6f4b12800d3b2b7d918eab8e467b00cf0dfaaf1292452b48a3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4dcf70cb-eb28-4a3d-9f2e-9117c6419035
Result
Threat name:
Amadey, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276042
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276042 Sample: JG5TDmd6Mm.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 113 Snort IDS alert for network traffic 2->113 115 Found malware configuration 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 16 other signatures 2->119 12 JG5TDmd6Mm.exe 2->12         started        15 bustjds 2->15         started        17 bustjds 2->17         started        19 5 other processes 2->19 process3 signatures4 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->153 155 Maps a DLL or memory area into another process 12->155 157 Checks if the current machine is a virtual machine (disk enumeration) 12->157 21 explorer.exe 5 9 12->21 injected 159 Antivirus detection for dropped file 15->159 161 Multi AV Scanner detection for dropped file 15->161 163 Machine Learning detection for dropped file 15->163 165 Creates a thread in another existing process (thread injection) 17->165 process5 dnsIp6 103 77.91.68.29, 49701, 49703, 49704 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 21->103 105 77.91.68.30, 49706, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 21->105 107 2 other IPs or domains 21->107 85 C:\Users\user\AppData\Roaming\bustjds, PE32 21->85 dropped 87 C:\Users\user\AppData\Local\Temp\BEA5.exe, PE32 21->87 dropped 89 C:\Users\user\AppData\Local\Temp\AB5.exe, PE32 21->89 dropped 91 2 other malicious files 21->91 dropped 139 System process connects to network (likely due to code injection or exploit) 21->139 141 Benign windows process drops PE files 21->141 143 Deletes itself after installation 21->143 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->145 26 20A7.exe 4 21->26         started        30 AB5.exe 21->30         started        32 BEA5.exe 1 21->32         started        file7 signatures8 process9 file10 93 C:\Users\user\AppData\Local\...\x5957281.exe, PE32 26->93 dropped 95 C:\Users\user\AppData\Local\...\j7137550.exe, PE32 26->95 dropped 147 Antivirus detection for dropped file 26->147 149 Machine Learning detection for dropped file 26->149 34 x5957281.exe 4 26->34         started        38 j7137550.exe 26->38         started        97 C:\Users\user\AppData\Local\Temp\CqZq.cpl, PE32 30->97 dropped 41 control.exe 30->41         started        151 Multi AV Scanner detection for dropped file 32->151 signatures11 process12 dnsIp13 77 C:\Users\user\AppData\Local\...\h9681577.exe, PE32 34->77 dropped 79 C:\Users\user\AppData\Local\...\g5338406.exe, PE32 34->79 dropped 121 Antivirus detection for dropped file 34->121 123 Machine Learning detection for dropped file 34->123 43 g5338406.exe 3 34->43         started        47 h9681577.exe 1 34->47         started        109 77.91.68.68, 19071, 49790 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 38->109 125 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->125 127 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->127 129 Tries to harvest and steal browser information (history, passwords, etc) 38->129 49 rundll32.exe 41->49         started        file14 signatures15 process16 file17 99 C:\Users\user\AppData\Local\...\danke.exe, PE32 43->99 dropped 167 Antivirus detection for dropped file 43->167 169 Multi AV Scanner detection for dropped file 43->169 171 Machine Learning detection for dropped file 43->171 173 Contains functionality to inject code into remote processes 43->173 51 danke.exe 17 43->51         started        175 Tries to detect sandboxes / dynamic malware analysis system (file name check) 49->175 56 rundll32.exe 49->56         started        signatures18 process19 dnsIp20 101 77.91.68.3, 49707, 49708, 49709 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 51->101 81 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 51->81 dropped 83 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 51->83 dropped 131 Antivirus detection for dropped file 51->131 133 Multi AV Scanner detection for dropped file 51->133 135 Creates an undocumented autostart registry key 51->135 137 2 other signatures 51->137 58 cmd.exe 1 51->58         started        60 schtasks.exe 1 51->60         started        62 rundll32.exe 51->62         started        64 rundll32.exe 56->64         started        file21 signatures22 process23 signatures24 67 conhost.exe 58->67         started        69 cmd.exe 1 58->69         started        71 cacls.exe 1 58->71         started        75 4 other processes 58->75 73 conhost.exe 60->73         started        111 Tries to detect sandboxes / dynamic malware analysis system (file name check) 64->111 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/562f0db742e6af6f4b12800d3b2b7d918eab8e467b00cf0dfaaf1292452b48a3/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 02:28:27 UTC
File Type:
PE (Exe)
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyxq3n2c42xw6sysqagtwk35sghkxdsgpmam6dp2v4jjerjljcrq._file
Verdict:
malicious
Similar samples:
34f122f1f2078367b52f59c04bdce076617445442f95c62b96ec104e8ee733df
Amadey
4464eac337f79d47d791c202d2a12935d7f6df0e9e6cb7628368f48945eaf8dd
Amadey
7f02d0bb42962b382ef7d6f5c3d647fa199311a586b5f0fd6c5e266759211967
Amadey
923ecbb2b0072d79eefb842e6e02ab6f3f8cb3e34a7cefa53368b8db06e40bfd
Amadey
93b75a7c9f000e58aa2c13e033e2d822590886ca67e6dc6157c9d5bbe20a6af4
Amadey
9b8c90e5119853c1a09f31a773e2d4af151c78174c78b14eac6377c7562f7735
Amadey
9c470bd34351c82f46d2c97771c80ab511498b837ee61daa060596892b602855
Amadey
e3c15f1c7b655b44882792cbb98fd962f47137dea2621128be6595a1237a2672
Amadey
f432f9cb89ee9ea1704bf3d33c85f19483a4258f4277b126201930dff9d119f5
Amadey
f7d5ba31a01492a8f04c8f43369d3cbd2ce4c31c4ced5fd6fec50fbfa44d64e0
Amadey
+ 4'721 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/230719-rg9gdshc2w/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
Unpacked files
SH256 hash:
562f0db742e6af6f4b12800d3b2b7d918eab8e467b00cf0dfaaf1292452b48a3
MD5 hash:
30940c24946f655b1badd8508088fa97
SHA1 hash:
f5f40205e5bac70f5b4033a9777de14868b6298f
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/f2ef93b5-ec92-4740-bf80-39b79697d84e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/562f0db742e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Amadey
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/562f0db742e6af6f4b12800d3b2b7d918eab8e467b00cf0dfaaf1292452b48a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/425118/

Comments