MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af
SHA3-384 hash:	fa50e6d958057a7a32261878ba580f4caba29c640a58dc57f10a46287e43b59b51d049da6fac88bf2879238b0c5e38ad
SHA1 hash:	594f601a3cd7add83fa94f97fe90da3bfa678449
MD5 hash:	335b17fdc989824126298877bed8804d
humanhash:	asparagus-mirror-dakota-texas
File name:	335b17fdc989824126298877bed8804d
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'928'704 bytes
First seen:	2024-02-06 05:17:48 UTC
Last seen:	2024-02-06 07:23:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:xUgNIA7z3qjKrO4/b03HqQfEOq5HaLJ5qO441t1+N:7NIAiqj03Hqwjq56Fgz4B
TLSH	T10E9533987E8214B5F2A167F5859D3238FDE4DA915E3F66D888E8E07F2790743EC01893
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	zbetcheckin
Tags:	32 Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af.exe

Verdict:

Malicious activity

Analysis date:

2024-02-06 08:22:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c86a96c3-0bc9-4254-b27e-dcdf060cbc33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Amadey

Link:

https://www.capesandbox.com/analysis/474797/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.14383.14145.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm packed

Link:

https://www.filescan.io/uploads/65c1c10a19fc380914237a9f/reports/717bb1d8-270a-479c-b3d9-8ae7ab3a3262/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f96383ca-c5c9-400a-bde6-19f5a6335cf9

Result

Threat name:

Amadey

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1387293

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Sigma detected: Capture Wi-Fi password

Sigma detected: Suspicious Script Execution From Temp Folder

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Instant Messenger accounts or passwords

Uses netsh to modify the Windows network and firewall settings

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af/

Threat name:

Win32.Spyware.Risepro

Status:

Malicious

First seen:

2024-02-06 05:18:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lbqcubheuhhzoskw7y7iurg4iesq45sqzq7lgyzapabf22fzusxq._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:amadey family:redline family:risepro family:smokeloader family:zgrat botnet:@oleh_ps botnet:@oni912 botnet:@pixelscloud botnet:livetraffic backdoor discovery evasion infostealer persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/240206-fy9ypshhhl/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Launches sc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

.NET Reactor proctector

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Reads user/profile data of web browsers

Creates new service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Amadey

Detect ZGRat V1

RedLine

RedLine payload

RisePro

SmokeLoader

ZGRat

Malware Config

C2 Extraction:

http://185.215.113.32
20.79.30.95:33223
45.15.156.209:40481
193.233.132.62:50500
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
94.156.67.230:13781
185.172.128.33:8924

Unpacked files

SH256 hash:

1cc8f0342a0f04bc919a6e0f77df1c670e9ebbfd89aa898550b13c5c59edba0d

MD5 hash:

505fc97240ef26cf7aad54e18d65b9c8

SHA1 hash:

581aa701f8da1a9e34433fc158b6e5f02191ad85

Detections:

win_amadey

Link:

https://www.unpac.me/results/12e40935-3e9c-4cc0-b185-422760062b66/

SH256 hash:

58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af

MD5 hash:

335b17fdc989824126298877bed8804d

SHA1 hash:

594f601a3cd7add83fa94f97fe90da3bfa678449

Link:

https://www.unpac.me/results/12e40935-3e9c-4cc0-b185-422760062b66/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/58602a04e4a1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/58602a04e4a1cf974956fe3e8a44dc41250e7650cc3eb3632078025d68b9a4af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.