MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
SHA3-384 hash: 4feb438bb16043d7b9a48a976cef00afe7a4b42dfbf2f386f9dae50bf8fbdf2781a30869794a1291ca59be9332e3f564
SHA1 hash: 9c48ef300ab266e6c1d6d05e3baa5247b8eb2ecb
MD5 hash: d1448a7cd7fcf240c520f3838fe18976
humanhash: lemon-friend-freddie-artist
File name:59716B314BA0D53B7E8DE32A73AF01B7B383834BF038C.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:7'550'815 bytes
First seen:2021-11-14 13:35:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xRLUCgQ8auK7AWV9ATCD+g/qWU314s6FMlnsbc1Mqwxef:xRdgQ8auUs+qWU1lj0qyc
TLSH T1087633203FD998A4C6901432EF8477FA1EFA8BB41C39C9D373590D4D9F619A2D22B257
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
95.143.179.152:42556

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.143.179.152:42556 https://threatfox.abuse.ch/ioc/248050/
http://91.219.237.226/ https://threatfox.abuse.ch/ioc/248088/
91.206.14.151:64591 https://threatfox.abuse.ch/ioc/248091/

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205682/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901386-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Sending a UDP request
Creating a window
DNS request
Launching cmd.exe command interpreter
Creating a process with a hidden window
Searching for analyzing tools
Sending an HTTP GET request
Reading critical registry keys
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Changing a file
Sending an HTTP GET request to an infection source
Replacing files
Query of malicious DNS domain
Unauthorized injection to a recently created process
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/619110c53edf00a722d3b6d6/reports/97bd00b1-bf0f-4580-9f66-e1e19b4212a3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c03453cc-cbd7-41c2-8a85-762cdf3073b8
Result
Threat name:
RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888916
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 521387 Sample: 59716B314BA0D53B7E8DE32A73A... Startdate: 14/11/2021 Architecture: WINDOWS Score: 100 58 ip-api.com 208.95.112.1, 49750, 80 TUT-ASUS United States 2->58 60 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->60 62 5 other IPs or domains 2->62 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Antivirus detection for URL or domain 2->84 86 Antivirus detection for dropped file 2->86 88 18 other signatures 2->88 9 59716B314BA0D53B7E8DE32A73AF01B7B383834BF038C.exe 21 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Mon11fbe0c8a7f0b4a47.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\...\Mon11f8437179.exe, PE32 9->46 dropped 48 16 other files (11 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 78 127.0.0.1 unknown unknown 12->78 80 hsiens.xyz 12->80 118 Performs DNS queries to domains with low reputation 12->118 120 Adds a directory exclusion to Windows Defender 12->120 16 cmd.exe 1 12->16         started        18 cmd.exe 12->18         started        20 cmd.exe 1 12->20         started        22 10 other processes 12->22 signatures8 process9 signatures10 25 Mon1171bdf4053512.exe 4 65 16->25         started        30 Mon11e73d87d47b7.exe 18->30         started        32 Mon1182b0194f4f89e7.exe 20->32         started        90 Adds a directory exclusion to Windows Defender 22->90 34 Mon112667aa79a82a20.exe 22->34         started        36 Mon11fbe0c8a7f0b4a47.exe 22->36         started        38 Mon11b2a87bc5ae6.exe 1 22->38         started        40 5 other processes 22->40 process11 dnsIp12 64 103.155.93.165 TWIDC-AS-APTWIDCLimitedHK unknown 25->64 66 212.193.30.21 SPD-NETTR Russian Federation 25->66 72 13 other IPs or domains 25->72 50 C:\Users\...\hGW4_0M43wBM0QDVHPVmG4GB.exe, PE32 25->50 dropped 52 C:\Users\user\AppData\...\Service[1].bmp, PE32 25->52 dropped 54 C:\Users\user\AppData\Local\...\IN[1].exe, PE32 25->54 dropped 56 31 other files (7 malicious) 25->56 dropped 92 Antivirus detection for dropped file 25->92 94 Creates HTML files with .exe extension (expired dropper behavior) 25->94 96 Machine Learning detection for dropped file 25->96 112 2 other signatures 25->112 68 91.121.67.60 OVHFR France 30->68 98 Query firmware table information (likely to detect VMs) 30->98 100 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->100 114 2 other signatures 30->114 102 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->102 104 Maps a DLL or memory area into another process 32->104 106 Checks if the current machine is a virtual machine (disk enumeration) 32->106 116 2 other signatures 34->116 70 iplogger.org 5.9.162.45, 443, 49751 HETZNER-ASDE Germany 36->70 74 2 other IPs or domains 36->74 108 May check the online IP address of the machine 36->108 110 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 38->110 76 5 other IPs or domains 40->76 file13 signatures14
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 15:26:06 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfywwmkludktw7un4mvhhlybw6zyha2l6a4mhpfkr56qpl6iwkaa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:937 botnet:ani botnet:jamesoldd aspackv2 backdoor evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211114-qv8xcagdg5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
65.108.20.195:6774
45.142.215.47:27643
https://koyu.space/@qmashton
Unpacked files
SH256 hash:
b17556e0701ba790d74827a85c7632bc6e621aae6eac300ab7c4f47e677d4dc6
MD5 hash:
4de7b53cf359da4230b3ffb88bbd7725
SHA1 hash:
40591c50a302156c49ee1afd70e917d50a29f9a9
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
c43c4ba2b6d7fa8f979f91077b21e57a75b2dc7794efb6f901f39e481d878448
MD5 hash:
52da452865e606e10398d997ff4d34ca
SHA1 hash:
f4b750d6212e38081f33b02e93b2586dfcbcac17
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
3d43af5691f1faf776f48dae2c726bf71a39c3b185ba91a68aee535ca64d297e
MD5 hash:
19dfc7239c15abb97e3dd3e7145ce7a4
SHA1 hash:
bb0f61b7c22c4dc2e4de778f8d452f8ef54b8fd3
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
475ccb182c0fa0d87c752b60deff09c9e144dfbc6488f5379225039d0f03828e
MD5 hash:
7566c1430d7a37a56bf3bfb458d54390
SHA1 hash:
990c4c4faf20ac9a4dba1cde3f40e9ad0a4692b9
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
259e0d662f388c659dc3e2bfecfd3126d9c2f536068b0f4e1ba489554f227a9c
MD5 hash:
21f2fd31d18816e1990ae1db615605d0
SHA1 hash:
8dc30a01b93fa2cfc714100fa5f6b5f44de76f5a
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
82114fa979bdf8f7c777fa8ffae0e3d1fbe7de86709f2f449a32880da264a0af
MD5 hash:
3633dd586081adc476ce5ef9c103f382
SHA1 hash:
827373e1c2a60e43e45b76e74a44840b9170de54
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
e1f83cd727f92af27da611c4c17cd9100a7d0ce13a48eca945e18f09e2182f82
MD5 hash:
ad203f3463d90387bc0ca93751b2c55b
SHA1 hash:
435342d5afdc34c215a4d3103e544cb07ebe0efb
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
9f04dccffc46ef617c2bcd4911c2b92bde4aac2681dc85123941233688917d8b
MD5 hash:
3390aeea9ea7b60c49cbced8e7ebde48
SHA1 hash:
cb89aee24f671ed2b3e0ec27874c387f08a4b1ff
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
bf5e9574f1678d3ce022f5b21ceae86a397e7eea739e878749b22b7c00afff9d
MD5 hash:
b870bd01a6e2b110a0ee6b2075c4191f
SHA1 hash:
26af19dbaf92672c293c5abb423d55d6bc9e8318
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
a681f6683dda98a3665790970127eca74c5ce71e0e87ef5c2498fef11a7eb087
MD5 hash:
43d829d1067c670c36029f496bd3c39e
SHA1 hash:
37b9c803a3b352bc126dc9942f3d81036ac497ee
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
078700a7aa5618cad998c6dee75b6f7ade29cfe29d588ec1ed94ab0e201b11df
MD5 hash:
691495b7b82c8b6e688f911f30b754d5
SHA1 hash:
7a38b5ebe17b1f37868a298b027aadeb581e58fc
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
760b56ea2404344cc81eaf5b07d85b95646d56227a4e29792bd2615f121c97f3
MD5 hash:
c4d0b17af6b02fa285182d7af559ebe0
SHA1 hash:
afa7479d89b01a79348cd3e4aceec6703f7dcbc9
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
SH256 hash:
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
MD5 hash:
d1448a7cd7fcf240c520f3838fe18976
SHA1 hash:
9c48ef300ab266e6c1d6d05e3baa5247b8eb2ecb
Link:
https://www.unpac.me/results/e210227d-9174-49ff-8923-fae3ae5e45ea/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/59716b314ba0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205682/

Comments