MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4
SHA3-384 hash: 864aa79c43aba07148025554759da1b7ca486fd4fbe4a9e9bb6caf83a2ab8139b425e495edf467638418ce3a23525c00
SHA1 hash: 77c7424f531118c708630f9bcf6992ff392edafe
MD5 hash: e777dd4e13ca5a7561c0a221e898d647
humanhash: pluto-indigo-bakerloo-montana
File name:LisectAVT_2403002B_222.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'916'416 bytes
First seen:2024-07-25 01:06:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:5oo0BavrjK/btvFFdVLNZCNSrlBfc0b3LAoI+RF4YOXfQkYzPi1w4EWUz0T9Z0/4:N0D7f9CqK0b3NYdYzs9EkE
Threatray 2 similar samples on MalwareBazaar
TLSH T1FB9533CA9F33606DE44A1ABF66451606B5A0C50E30FE683D66E703B4E6375188FADCF4
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Anonymous
Tags:Amadey exe


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Searching for analyzing tools
Searching for the window
Creating a file
Searching for synchronization primitives
Modifying an executable file
Query of malicious DNS domain
Connection attempt to an infection source
Infecting executable files
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a1a53e4c5c17942a7d36e5/reports/add96604-2e35-41f2-9f6a-234c161e6416/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1d4a1be-d5ec-42db-ba5b-73a012c2ea17
Result
Threat name:
Amadey, Bdaejec
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1481948
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 01:07:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7v4p46lhltc4v4j22yrzxht53rzpqlpq3gg73qy5e4o3xsn2h2a._file
Verdict:
malicious
Similar samples:
57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4
Amadey
682e5a143bf1041ee0d8cf47c9d8c0aad22cb9fa2cd353dbe367a80011e9a158
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:b68ccf aspackv2 discovery evasion trojan
Link:
https://tria.ge/reports/240725-bgp5raycpr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
ASPack v2.12-2.42
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://185.215.113.32
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e20608d9-8897-43d6-a1ee-9e327d2a7bfb
Unpacked files
SH256 hash:
16a6212fc104eef56c2784fbb994825b3d76081138ddc579031e26523451158f
MD5 hash:
be5bbc14818b26640e0263393c72e46e
SHA1 hash:
c5e6e68b269ebba7c6d889b8ccfad65f8980d74f
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/97374556-f01a-47bc-86fb-93d348b819f6/
SH256 hash:
dbf4f7f3c13f3732c2c3e06398336a3d7ea21801081fc5ba04927287ceb2d00e
MD5 hash:
8bc076978042868e5a37dab8c8881a9c
SHA1 hash:
29b7cea63225a13170fa2dead791ce5805405560
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/97374556-f01a-47bc-86fb-93d348b819f6/
SH256 hash:
57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4
MD5 hash:
e777dd4e13ca5a7561c0a221e898d647
SHA1 hash:
77c7424f531118c708630f9bcf6992ff392edafe
Link:
https://www.unpac.me/results/97374556-f01a-47bc-86fb-93d348b819f6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Amadey

Executable exe 57ebc7f3cb3ae62e5789d6b11cdcf3eee397c16f86cc6fee18e938edde4dd1f4

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments