MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5abcb0035ad730532dc6e4e194dce446b33df11c34a0a954a09e0d0394271f64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5abcb0035ad730532dc6e4e194dce446b33df11c34a0a954a09e0d0394271f64
SHA3-384 hash: 7caeeba5c3da485f9fda5bc6c457db9a959e9f1a0047d475b10f58cd06ff15fd77bc6175de960c68923d6291e40b29df
SHA1 hash: fbefeddfa4723b2cf294ef959e1bea9d03e4764b
MD5 hash: fedfd8cdc54e0e2a384defc1b5402cea
humanhash: robin-alpha-artist-wisconsin
File name:fedfd8cdc54e0e2a384defc1b5402cea.exe
Download: download sample
Signature Stop
Create hunting rule
File size:241'152 bytes
First seen:2023-01-29 16:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dd0e4efabc62274a7cfb37b4b7a2951d (17 x Amadey, 5 x RedLineStealer, 1 x Stop)
ssdeep 6144:zSRg+A7AZGFDubDXagraG0JzSRuVyLWNgEQqgE:zPsEjgwJ4uVyCNxJ
Threatray 985 similar samples on MalwareBazaar
TLSH T12F34F9217D16C031C96061B729B9BFF2C19DA8259B7049DB7B800F7BDA122E67970E3D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://135.181.41.147/

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
fedfd8cdc54e0e2a384defc1b5402cea.exe
Verdict:
Malicious activity
Analysis date:
2023-01-29 16:46:35 UTC
Tags:
trojan amadey loader rat redline stealer vidar
Link:
https://app.any.run/tasks/a3e8878e-85db-48fc-9ec4-da2aa71a5971

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357982/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Connecting to a non-recommended domain
Sending an HTTP POST request
Launching a service
Adding an access-denied ACE
Creating a file
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63830/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
GetTempPath
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey greyware redline shell32.dll
Link:
https://www.filescan.io/uploads/63d6a2cb696b2d972574d3f5/reports/eabd5d1f-8224-4c7a-bd83-fe12eb14b60c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a664e806-7055-492a-8efb-57c7ef4c28d9
Result
Threat name:
Amadey, Ficker Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161080
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 793813 Sample: 8o0liUP45l.exe Startdate: 29/01/2023 Architecture: WINDOWS Score: 100 119 transfer.sh 2->119 121 meODDRZdjhbTcv.meODDRZdjhbTcv 2->121 123 fasdas.link 2->123 149 Snort IDS alert for network traffic 2->149 151 Malicious sample detected (through community Yara rule) 2->151 153 Antivirus detection for URL or domain 2->153 155 15 other signatures 2->155 13 8o0liUP45l.exe 4 2->13         started        18 nbveek.exe 2->18         started        20 nbveek.exe 2->20         started        signatures3 process4 dnsIp5 139 192.168.2.1 unknown unknown 13->139 109 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 13->109 dropped 111 C:\Users\user\...\nbveek.exe:Zone.Identifier, ASCII 13->111 dropped 205 Contains functionality to inject code into remote processes 13->205 22 nbveek.exe 54 13->22         started        file6 signatures7 process8 dnsIp9 129 62.204.41.72, 49691, 49692, 49694 TNNET-ASTNNetOyMainnetworkFI United Kingdom 22->129 131 62.204.41.90, 49693, 49696, 49699 TNNET-ASTNNetOyMainnetworkFI United Kingdom 22->131 89 C:\Users\user\AppData\Roaming\...\vina1.exe, PE32 22->89 dropped 91 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 22->91 dropped 93 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 22->93 dropped 95 25 other malicious files 22->95 dropped 165 Multi AV Scanner detection for dropped file 22->165 167 Creates an undocumented autostart registry key 22->167 169 Found stalling execution ending in API Sleep call 22->169 171 Uses schtasks.exe or at.exe to add and modify task schedules 22->171 27 lebro.exe 22->27         started        31 vina1.exe 22->31         started        33 lamka1.exe 22->33         started        36 13 other processes 22->36 file10 signatures11 process12 dnsIp13 105 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 27->105 dropped 179 Multi AV Scanner detection for dropped file 27->179 38 nbveek.exe 27->38         started        107 C:\Users\user\AppData\...\vcredist_47d46d.dll, PE32+ 31->107 dropped 181 Query firmware table information (likely to detect VMs) 31->181 183 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 31->183 185 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->185 203 4 other signatures 31->203 113 62.204.41.170 TNNET-ASTNNetOyMainnetworkFI United Kingdom 33->113 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->187 189 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->189 191 Tries to harvest and steal browser information (history, passwords, etc) 33->191 193 Tries to steal Crypto Currency Wallets 33->193 115 82.115.223.9 MIDNET-ASTK-TelecomRU Russian Federation 36->115 117 176.113.115.16 SELECTELRU Russian Federation 36->117 195 Detected unpacking (changes PE section rights) 36->195 197 Detected unpacking (overwrites its own PE header) 36->197 199 Disable Windows Defender notifications (registry) 36->199 201 Disable Windows Defender real time protection (registry) 36->201 43 rundll32.exe 25 36->43         started        45 conhost.exe 36->45         started        47 conhost.exe 36->47         started        49 6 other processes 36->49 file14 signatures15 process16 dnsIp17 133 62.204.41.88, 49727, 49728, 49739 TNNET-ASTNNetOyMainnetworkFI United Kingdom 38->133 135 179.43.155.246, 49749, 80 PLI-ASCH Panama 38->135 137 4 other IPs or domains 38->137 97 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 38->97 dropped 99 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 38->99 dropped 101 C:\...\raud-290123del700_2023-01-29_12-52.exe, PE32 38->101 dropped 103 15 other malicious files 38->103 dropped 173 Multi AV Scanner detection for dropped file 38->173 51 OwvtknErB0Wl.exe 38->51         started        56 rundll32.exe 38->56         started        58 Player3.exe 38->58         started        62 6 other processes 38->62 175 System process connects to network (likely due to code injection or exploit) 43->175 177 Tries to steal Instant Messenger accounts or passwords 43->177 60 tar.exe 2 43->60         started        file18 signatures19 process20 dnsIp21 125 z3lupfbp2qx.mscwdpqs8ggwprc3spkoef5iw3djdiu 51->125 81 C:\Users\user\AppData\Local\...\4745390.dll, PE32 51->81 dropped 157 Multi AV Scanner detection for dropped file 51->157 159 Writes to foreign memory regions 51->159 161 Allocates memory in foreign processes 51->161 163 Injects a PE file into a foreign processes 51->163 64 rundll32.exe 56->64         started        83 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 58->83 dropped 67 conhost.exe 60->67         started        127 81.161.229.96 CMCSUS Germany 62->127 85 C:\Users\user\AppData\...\nsis_uns4ad5e5.dll, PE32+ 62->85 dropped 87 C:\Users\user\AppData\Local\...ngine.exe, PE32 62->87 dropped 69 conhost.exe 62->69         started        71 conhost.exe 62->71         started        73 cmd.exe 62->73         started        75 5 other processes 62->75 file22 signatures23 process24 signatures25 141 System process connects to network (likely due to code injection or exploit) 64->141 143 Tries to steal Instant Messenger accounts or passwords 64->143 145 Tries to harvest and steal ftp login credentials 64->145 147 Tries to harvest and steal browser information (history, passwords, etc) 64->147 77 tar.exe 64->77         started        process26 process27 79 conhost.exe 77->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5abcb0035ad730532dc6e4e194dce446b33df11c34a0a954a09e0d0394271f64/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-29 16:46:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 26 (88.46%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lk6laa2224yfglog4tqzjxhei2zt34i4gsqksvfatygqhfbhd5sa._file
Verdict:
malicious
Similar samples:
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b
Stop
a4ebbc150158fdc325812c21cdc87ec88818c333a2e91286034137cba468e25c
Stop
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
Stop
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
Stop
d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1
Stop
e10013c1610befd6ba09dbbc264579d94a7e3815eb99a643636ea259d484f454
Stop
ee7bcbe03b47dc97be9ff40d314819a99dae85cfa544f726bbd59d2a4d770585
Stop
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
Stop
+ 975 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:redline family:rhadamanthys botnet:0013 botnet:@redlinevip cloud (tg: @fatherofcarders) botnet:fredy botnet:lamer botnet:new botnet:new1 botnet:temp45645645 collection discovery evasion infostealer persistence ransomware spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/230129-t9ylpseb27/
Behaviour
outlook_win_path
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
VMProtect packed file
Amadey
Detect rhadamanthys stealer shellcode
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
Modifies security service
Process spawned unexpected child process
RedLine
RedLine payload
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
62.204.41.72/0bjdn2Z/index.php
62.204.41.88/9vdVVVjsw/index.php
62.204.41.170:4132
82.115.223.9:15486
176.113.115.16:4122
151.80.89.233:13553
77.73.134.27/8bmdh3Slb2/index.php
207.32.216.101:28563
http://drampik.com/raud/get.php
Unpacked files
SH256 hash:
5abcb0035ad730532dc6e4e194dce446b33df11c34a0a954a09e0d0394271f64
MD5 hash:
fedfd8cdc54e0e2a384defc1b5402cea
SHA1 hash:
fbefeddfa4723b2cf294ef959e1bea9d03e4764b
Link:
https://www.unpac.me/results/077d8961-bba9-48c4-bc01-0cffdf2ae1d8/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5abcb0035ad7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5abcb0035ad730532dc6e4e194dce446b33df11c34a0a954a09e0d0394271f64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 5abcb0035ad730532dc6e4e194dce446b33df11c34a0a954a09e0d0394271f64

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2519953/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/357982/
  
URLhaus
https://urlhaus.abuse.ch/url/2522536/

Comments