MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56806ed964c59eb4ea1ca169b2ee94ff16677e0079dfaa680b422122e11aa303. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	56806ed964c59eb4ea1ca169b2ee94ff16677e0079dfaa680b422122e11aa303
SHA3-384 hash:	2cf55be1ef488a0d12a830a315fc09a707e026b44dce4911e31156f245cf366751f5a687fb68ef02e2ad9a3e18737358
SHA1 hash:	cc52bfc07650dab051349e9bfffd4dcd832b887c
MD5 hash:	01257eeb032134d0100c019f0db5ecae
humanhash:	vegan-arkansas-johnny-bakerloo
File name:	LisectAVT_2403002C_39.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	430'600 bytes
First seen:	2024-07-25 01:47:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ff23e32a63aac9251bb507fbef91be04 (2 x Stealc, 2 x Amadey, 2 x Smoke Loader)
ssdeep	6144:lfBwgfV+aXoGJR1xpppStlxu4qGilNZZDLxFLWj4+36o9:l3V+anFxZUq1NZJ9N8qu
TLSH	T1C994F10236E2D4B5E6F3423008709B55067FFC765A398A9B7388668F6C756C05E3BB63
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	020400030c082000 (2 x Amadey)
Reporter	Anonymous
Tags:	Amadey exe

Anonymous

this malware sample is very nasty!

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Creating a process with a hidden window

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

amadey epmicrosoft_visual_cc fingerprint microsoft_visual_cc overlay packed

Link:

https://www.filescan.io/uploads/66a1aee23ba51bb345a37535/reports/4d449aec-220c-42f8-876d-46d97e220ecb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Amadey

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1481349

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/56806ed964c59eb4ea1ca169b2ee94ff16677e0079dfaa680b422122e11aa303

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/56806ed964c59eb4ea1ca169b2ee94ff16677e0079dfaa680b422122e11aa303/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-07-25 01:48:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k2ag5wleywplj2q4ufu3f3uu74lgo7qaphp2u2aliiqsfyi2umbq._file

Verdict:

malicious

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey botnet:54a870 discovery trojan

Link:

https://tria.ge/reports/240725-b78psatgph/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Amadey

Malware Config

C2 Extraction:

http://topgamecheats.dev

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0a721f35-1496-48c1-bcd8-4d59b0bf4226

Unpacked files

SH256 hash:

1c471e686f4cf40a788908a6f1e8b1a7e4c25b32a30a80f140b4f5d9f7015a8d

MD5 hash:

9ef7cf8b9f34042efb62af5de7805f04

SHA1 hash:

61f96d4dc710ebec4414e75911cc94a8f83cb4f4

Detections:

win_amadey_auto

win_amadey

Link:

https://www.unpac.me/results/29da3f13-708d-4a58-86a4-f5ee6663e837/

Parent samples :

fe85fdd0e4c5a86d58cbba30c1888ac5e519f08742abf3577ee5a8f17a676f2b
e80be2782ae7e0bdab958f9ed74f3e1056a0c16b6074a6390a245a6a49e58f0e
d88da24c018b0d0b71a2b29ab1e5684785726396666599e7c5335507237577fc
be331c725bb8691b4cdc441bff8dac6138ad5498f48177691ce311a08a3a1b81
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
6e1d2a58743dd5b05b0654ae4067d77f7580ba07fe034cd7b068f4a084d9fdcd
1e344453ec1208b7fc9fe96377eb47de4ef9162c7cdc0e56bee82a52e42a3856
56806ed964c59eb4ea1ca169b2ee94ff16677e0079dfaa680b422122e11aa303

SH256 hash:

56806ed964c59eb4ea1ca169b2ee94ff16677e0079dfaa680b422122e11aa303

MD5 hash:

01257eeb032134d0100c019f0db5ecae

SHA1 hash:

cc52bfc07650dab051349e9bfffd4dcd832b887c

Link:

https://www.unpac.me/results/29da3f13-708d-4a58-86a4-f5ee6663e837/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/56806ed964c5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	EXE_Stealer_StealC_Feb2024 Create hunting rule
Author:	Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Amadey

exe 56806ed964c59eb4ea1ca169b2ee94ff16677e0079dfaa680b422122e11aa303

(this sample)

Link

https://bbs.kafan.cn/forum-31-1.html

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::FindFirstVolumeMountPointA KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::PeekConsoleInputA KERNEL32.dll::ReadConsoleA KERNEL32.dll::SetConsoleTextAttribute KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasExesLengthA KERNEL32.dll::GetConsoleAliasW KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::GetWindowsDirectoryA KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::QueryDosDeviceA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample