MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Amadey


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash: 587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f
SHA3-384 hash: a61f76779137bbfc730af80e4fdfe4dd89211757445836b2c487fcd4c348020b897607b024a70e64aa2ed46540dcb01e
SHA1 hash: c1207ad874e88db39fb45fbb30b80a22b14a3f8d
MD5 hash: 228e9e4a42f5596a5becbacc44a03fc7
humanhash: missouri-echo-mountain-cold
File name:228e9e4a42f5596a5becbacc44a03fc7.exe
Download: download sample
Signature Amadey
File size:320'000 bytes
First seen:2022-01-14 00:46:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1edccb2e6808b6fbc3aa19660b738ec5 (1 x Amadey, 1 x RedLineStealer, 1 x CoinMiner)
ssdeep 6144:/Oavz6WY4qUEWuH0EAy7mlXafNHJgrtkP7T2A/HHdsJs:m3WY4qUlEUXGHCRkTT2AHd
Threatray 6'550 similar samples on MalwareBazaar
TLSH T131649E10BBA0C035F5B762F845B597BCB93E7EA1972490CB12D52AEA47346E0EC3171B
File icon (PE):PE icon
dhash icon 2dac1378399b9b91 (14 x RedLineStealer, 11 x ArkeiStealer, 8 x Smoke Loader)
Reporter @abuse_ch
Tags:Amadey exe


Twitter
@abuse_ch
Amadey C2:
65.108.104.175:1193

Intelligence


File Origin
# of uploads :
1
# of downloads :
493
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
228e9e4a42f5596a5becbacc44a03fc7.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-14 00:49:25 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
–°reating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes tofsee
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552985 Sample: JV4ILFxpDY.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 80 googlehosted.l.googleusercontent.com 2->80 82 clients2.googleusercontent.com 2->82 84 2 other IPs or domains 2->84 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Antivirus detection for URL or domain 2->108 110 13 other signatures 2->110 11 JV4ILFxpDY.exe 2->11         started        14 jhewjjt 2->14         started        16 svchost.exe 2->16         started        18 13 other processes 2->18 signatures3 process4 dnsIp5 136 Contains functionality to inject code into remote processes 11->136 138 Injects a PE file into a foreign processes 11->138 21 JV4ILFxpDY.exe 11->21         started        140 Machine Learning detection for dropped file 14->140 24 jhewjjt 14->24         started        142 Changes security center settings (notifications, updates, antivirus, firewall) 16->142 26 MpCmdRun.exe 16->26         started        86 192.168.2.1 unknown unknown 18->86 28 WerFault.exe 18->28         started        signatures6 process7 signatures8 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->112 114 Maps a DLL or memory area into another process 21->114 116 Checks if the current machine is a virtual machine (disk enumeration) 21->116 30 explorer.exe 12 21->30 injected 118 Creates a thread in another existing process (thread injection) 24->118 35 conhost.exe 26->35         started        process9 dnsIp10 90 185.233.81.115, 443, 49727 SUPERSERVERSDATACENTERRU Russian Federation 30->90 92 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 30->92 94 10 other IPs or domains 30->94 72 C:\Users\user\AppData\Roaming\jhewjjt, PE32 30->72 dropped 74 C:\Users\user\AppData\Local\Temp\F10C.exe, PE32 30->74 dropped 76 C:\Users\user\AppData\Local\Temp812.exe, PE32 30->76 dropped 78 11 other malicious files 30->78 dropped 96 System process connects to network (likely due to code injection or exploit) 30->96 98 Benign windows process drops PE files 30->98 100 Deletes itself after installation 30->100 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->102 37 D675.exe 30->37         started        40 8939.exe 30->40         started        42 85ED.exe 2 30->42         started        45 2 other processes 30->45 file11 signatures12 process13 file14 120 Detected unpacking (changes PE section rights) 37->120 122 Detected unpacking (overwrites its own PE header) 37->122 124 Found evasive API chain (may stop execution after checking mutex) 37->124 134 4 other signatures 37->134 126 Machine Learning detection for dropped file 40->126 128 Injects a PE file into a foreign processes 40->128 47 8939.exe 40->47         started        70 C:\Users\user\AppData\Local\...\exmrkmjs.exe, PE32 42->70 dropped 50 cmd.exe 42->50         started        53 cmd.exe 42->53         started        55 sc.exe 42->55         started        130 Antivirus detection for dropped file 45->130 132 Multi AV Scanner detection for dropped file 45->132 57 8DFC.exe 45->57         started        60 WerFault.exe 3 10 45->60         started        signatures15 process16 dnsIp17 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->144 146 Maps a DLL or memory area into another process 47->146 148 Checks if the current machine is a virtual machine (disk enumeration) 47->148 150 Creates a thread in another existing process (thread injection) 47->150 68 C:\Windows\SysWOW64\...\exmrkmjs.exe (copy), PE32 50->68 dropped 62 conhost.exe 50->62         started        64 conhost.exe 53->64         started        66 conhost.exe 55->66         started        88 86.107.197.138, 38133, 49860 MOD-EUNL Romania 57->88 file18 signatures19 process20
Threat name:
Win32.Trojan.Krypter
Status:
Malicious
First seen:
2022-01-14 00:47:11 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:amadey family:arkei family:loaderbot family:raccoon family:smokeloader family:tofsee family:xmrig botnet:default backdoor collection discovery evasion loader miner persistence spyware stealer suricata trojan upx
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
Arkei Stealer Payload
LoaderBot executable
XMRig Miner Payload
Amadey
Arkei
LoaderBot
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://file-file-host4.com/tratata.php
patmushta.info
parubey.info
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
SH256 hash:
587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f
MD5 hash:
228e9e4a42f5596a5becbacc44a03fc7
SHA1 hash:
c1207ad874e88db39fb45fbb30b80a22b14a3f8d

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.104.175:1193 https://threatfox.abuse.ch/ioc/295071

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f

(this sample)

  
Delivery method
Distributed via web download

Comments