MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: 587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f
SHA3-384 hash: a61f76779137bbfc730af80e4fdfe4dd89211757445836b2c487fcd4c348020b897607b024a70e64aa2ed46540dcb01e
SHA1 hash: c1207ad874e88db39fb45fbb30b80a22b14a3f8d
MD5 hash: 228e9e4a42f5596a5becbacc44a03fc7
humanhash: missouri-echo-mountain-cold
File name:228e9e4a42f5596a5becbacc44a03fc7.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:320'000 bytes
First seen:2022-01-14 00:46:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1edccb2e6808b6fbc3aa19660b738ec5 (1 x Amadey, 1 x RedLineStealer, 1 x CoinMiner)
ssdeep 6144:/Oavz6WY4qUEWuH0EAy7mlXafNHJgrtkP7T2A/HHdsJs:m3WY4qUlEUXGHCRkTT2AHd
Threatray 6'550 similar samples on MalwareBazaar
TLSH T131649E10BBA0C035F5B762F845B597BCB93E7EA1972490CB12D52AEA47346E0EC3171B
File icon (PE):PE icon
dhash icon 2dac1378399b9b91 (14 x RedLineStealer, 11 x ArkeiStealer, 8 x Smoke Loader)
Reporter @abuse_ch
Tags:Amadey exe


Twitter
@abuse_ch
Amadey C2:
65.108.104.175:1193

Intelligence

File Origin
# of uploads :
1
# of downloads :
493
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
228e9e4a42f5596a5becbacc44a03fc7.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-14 00:49:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f70f3df1-c55c-4812-839d-ad928e06ed2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219195/
Detection(s):
Win.Packed.Tofsee-9935687-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4146/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes tofsee
Link:
https://www.filescan.io/uploads/61e0c809f2e8ec86fefa4f8b/reports/64366151-53fd-4d18-913d-8b55b6c77ffb/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e4d6c8f-3e5b-4e55-bc6e-c53a2335bb5d
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920507
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552985 Sample: JV4ILFxpDY.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 80 googlehosted.l.googleusercontent.com 2->80 82 clients2.googleusercontent.com 2->82 84 2 other IPs or domains 2->84 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Antivirus detection for URL or domain 2->108 110 13 other signatures 2->110 11 JV4ILFxpDY.exe 2->11         started        14 jhewjjt 2->14         started        16 svchost.exe 2->16         started        18 13 other processes 2->18 signatures3 process4 dnsIp5 136 Contains functionality to inject code into remote processes 11->136 138 Injects a PE file into a foreign processes 11->138 21 JV4ILFxpDY.exe 11->21         started        140 Machine Learning detection for dropped file 14->140 24 jhewjjt 14->24         started        142 Changes security center settings (notifications, updates, antivirus, firewall) 16->142 26 MpCmdRun.exe 16->26         started        86 192.168.2.1 unknown unknown 18->86 28 WerFault.exe 18->28         started        signatures6 process7 signatures8 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->112 114 Maps a DLL or memory area into another process 21->114 116 Checks if the current machine is a virtual machine (disk enumeration) 21->116 30 explorer.exe 12 21->30 injected 118 Creates a thread in another existing process (thread injection) 24->118 35 conhost.exe 26->35         started        process9 dnsIp10 90 185.233.81.115, 443, 49727 SUPERSERVERSDATACENTERRU Russian Federation 30->90 92 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 30->92 94 10 other IPs or domains 30->94 72 C:\Users\user\AppData\Roaming\jhewjjt, PE32 30->72 dropped 74 C:\Users\user\AppData\Local\Temp\F10C.exe, PE32 30->74 dropped 76 C:\Users\user\AppData\Local\Temp812.exe, PE32 30->76 dropped 78 11 other malicious files 30->78 dropped 96 System process connects to network (likely due to code injection or exploit) 30->96 98 Benign windows process drops PE files 30->98 100 Deletes itself after installation 30->100 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->102 37 D675.exe 30->37         started        40 8939.exe 30->40         started        42 85ED.exe 2 30->42         started        45 2 other processes 30->45 file11 signatures12 process13 file14 120 Detected unpacking (changes PE section rights) 37->120 122 Detected unpacking (overwrites its own PE header) 37->122 124 Found evasive API chain (may stop execution after checking mutex) 37->124 134 4 other signatures 37->134 126 Machine Learning detection for dropped file 40->126 128 Injects a PE file into a foreign processes 40->128 47 8939.exe 40->47         started        70 C:\Users\user\AppData\Local\...\exmrkmjs.exe, PE32 42->70 dropped 50 cmd.exe 42->50         started        53 cmd.exe 42->53         started        55 sc.exe 42->55         started        130 Antivirus detection for dropped file 45->130 132 Multi AV Scanner detection for dropped file 45->132 57 8DFC.exe 45->57         started        60 WerFault.exe 3 10 45->60         started        signatures15 process16 dnsIp17 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->144 146 Maps a DLL or memory area into another process 47->146 148 Checks if the current machine is a virtual machine (disk enumeration) 47->148 150 Creates a thread in another existing process (thread injection) 47->150 68 C:\Windows\SysWOW64\...\exmrkmjs.exe (copy), PE32 50->68 dropped 62 conhost.exe 50->62         started        64 conhost.exe 53->64         started        66 conhost.exe 55->66         started        88 86.107.197.138, 38133, 49860 MOD-EUNL Romania 57->88 file18 signatures19 process20
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 00:47:11 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/lb7bksegdqoxfdsfrqnadroxo6fjtaocsl2hfuhfhn3c4uwdcexq._file
Verdict:
malicious
Similar samples:
02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
Amadey
1d1fc9d23aa14b4f484fb86c173c94084bc14a9f551747b6e06366649a229af5
Amadey
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
Amadey
47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
Amadey
4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a
Amadey
c9f18cc71c7a1fa61d43a32dfb858f9aa247324a188f8182981b853266d3b1c7
Amadey
d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed
Amadey
f7b5a27355eafa5302a38a1e0adadcb619b6d42e7c1707a784297634a180a66f
Amadey
+ 6'540 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:arkei family:loaderbot family:raccoon family:smokeloader family:tofsee family:xmrig botnet:default backdoor collection discovery evasion loader miner persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220114-a47smsdfcj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
Arkei Stealer Payload
LoaderBot executable
XMRig Miner Payload
Amadey
Arkei
LoaderBot
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://file-file-host4.com/tratata.php
patmushta.info
parubey.info
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/a8359325-d075-4078-9fb5-ee990127e955/
SH256 hash:
587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f
MD5 hash:
228e9e4a42f5596a5becbacc44a03fc7
SHA1 hash:
c1207ad874e88db39fb45fbb30b80a22b14a3f8d
Link:
https://www.unpac.me/results/a8359325-d075-4078-9fb5-ee990127e955/
AV coverage:
33.82%
AV detections:
23 / 68
Link:
https://www.virustotal.com/gui/file/587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f/detection/f-587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f-1642118134
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.104.175:1193 https://threatfox.abuse.ch/ioc/295071

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 587e1548861c1d728e458c1a01c5d7778a9981c292f472d0e53b762e52c3112f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1950845/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1970216/
Cape
Cape
https://www.capesandbox.com/analysis/219195/

Comments