MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5abccf6b1cdcdb5eff6c00de089850a6f81b0813f2afc3b79d4d681defdabf95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5abccf6b1cdcdb5eff6c00de089850a6f81b0813f2afc3b79d4d681defdabf95
SHA3-384 hash: 1c78b9f503e84a9331a475d37889cc81cffd929b93cb45d73958724eb5ce087297d2ea1b341eea3c69a934d0fe28c5b0
SHA1 hash: 2531f7690b37dc1b11d1c6d36ce91dea22425742
MD5 hash: faf9368f40e64b2ad9d47b1b6e0b958b
humanhash: april-comet-speaker-robert
File name:faf9368f40e64b2ad9d47b1b6e0b958b.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:51'712 bytes
First seen:2021-03-30 07:07:37 UTC
Last seen:2021-03-30 08:00:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:l8jTThbyEku1Ka4XhHeV3wjiC6+Ma85dHjPEQzydqrYuhRxqtXcTu2OhdxE9hWZG:yByENK9h+rlRajoh4TOj4J4O0n
Threatray 153 similar samples on MalwareBazaar
TLSH DA33B6199344F127D1A21A355922E878370DF7345C81720DDA92446CCFA6AEEFCCEBDA
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://176.111.174.66/Hq13Vdsv2W/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
421
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
faf9368f40e64b2ad9d47b1b6e0b958b.exe
Verdict:
Malicious activity
Analysis date:
2021-03-30 07:17:19 UTC
Tags:
trojan amadey loader stealer
Link:
https://app.any.run/tasks/99e6763c-a746-49ef-9b77-1ae735686984

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127928/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.61335.19876.19277.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658080
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377972 Sample: oGXloWqEh5.exe Startdate: 30/03/2021 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Antivirus detection for URL or domain 2->94 96 7 other signatures 2->96 10 oGXloWqEh5.exe 21 11 2->10         started        process3 dnsIp4 88 x11fdf4few8f41f.com 104.21.73.19, 49698, 80 CLOUDFLARENETUS United States 10->88 72 C:\Users\user\AppData\...\303fptie.newcfg, XML 10->72 dropped 74 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 10->74 dropped 108 Contains functionality to inject code into remote processes 10->108 110 Adds a directory exclusion to Windows Defender 10->110 112 Hides threads from debuggers 10->112 15 oGXloWqEh5.exe 4 10->15         started        18 WerFault.exe 10->18         started        20 AdvancedRun.exe 1 10->20         started        22 2 other processes 10->22 file5 signatures6 process7 file8 76 C:\ProgramData\d23c4bc78e\bkdm.exe, PE32 15->76 dropped 24 bkdm.exe 15->24         started        78 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->78 dropped 29 AdvancedRun.exe 20->29         started        31 conhost.exe 22->31         started        33 conhost.exe 22->33         started        35 timeout.exe 1 22->35         started        process9 dnsIp10 82 x11fdf4few8f41f.com 24->82 84 172.67.137.73, 49706, 80 CLOUDFLARENETUS United States 24->84 70 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 24->70 dropped 100 Multi AV Scanner detection for dropped file 24->100 102 Machine Learning detection for dropped file 24->102 104 Adds a directory exclusion to Windows Defender 24->104 106 Hides threads from debuggers 24->106 37 bkdm.exe 24->37         started        41 cmd.exe 24->41         started        43 AdvancedRun.exe 24->43         started        45 2 other processes 24->45 86 192.168.2.1 unknown unknown 29->86 file11 signatures12 process13 dnsIp14 80 176.111.174.66, 49723, 49724, 49725 WILWAWPL Russian Federation 37->80 62 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 37->62 dropped 64 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 37->64 dropped 66 C:\ProgramData\8a8a4f61cb34cb\scr.dll, PE32 37->66 dropped 68 C:\ProgramData\8a8a4f61cb34cb\cred.dll, PE32 37->68 dropped 47 cmd.exe 37->47         started        49 conhost.exe 41->49         started        51 timeout.exe 41->51         started        53 AdvancedRun.exe 43->53         started        55 conhost.exe 45->55         started        file15 process16 process17 57 reg.exe 47->57         started        60 conhost.exe 47->60         started        signatures18 98 Creates an undocumented autostart registry key 57->98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5abccf6b1cdcdb5eff6c00de089850a6f81b0813f2afc3b79d4d681defdabf95/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-30 01:01:24 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lk6m62y43tnv573madpargcqu34bwcat6kx4hn45jvub3362x6kq._file
Verdict:
malicious
Similar samples:
0aab43b526e9c5c16eb0d285a6c1c50fba4c750a23020234f3c1a8d329074b6b
Amadey
28a75db0185788d50a739a0e1354d1b84fa4a0cd55527d6103cbef6685147584
Amadey
3abf0b6da06a8740f91acf87b964de2b314220cf14226b003af9c97acd2ce926
Amadey
53237c2782ec5dbdabb8350a3ef5e8c25662436052e92ae1300f3f41be984ea6
Amadey
726a77e9ed33bcd7f0178d49fc6f332410fdff0e88d35b19521b54e81835eff5
Amadey
a4fc3473070e7f587dbfec7574d0ca62765d002cce206903a5762e68ef736945
Amadey
b58f6d597c88e79bb34ee776227be235121b7a0f6b99170ff57ff66a96a940ed
Amadey
c10df7ff1234d45342b534153be81de8f252e88ae00413bdd476ddfc05d542e9
Amadey
d67a9a907a5ca20e610e3e69777ebc80eb61c55e849545e85297046843538ab3
Amadey
e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df
Amadey
+ 143 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey evasion spyware stealer trojan
Link:
https://tria.ge/reports/210330-e137k24vfj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads local data of messenger clients
Windows security modification
Blocklisted process makes network request
Executes dropped EXE
Nirsoft
Amadey
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
176.111.174.66/Hq13Vdsv2W/index.php
Unpacked files
SH256 hash:
5abccf6b1cdcdb5eff6c00de089850a6f81b0813f2afc3b79d4d681defdabf95
MD5 hash:
faf9368f40e64b2ad9d47b1b6e0b958b
SHA1 hash:
2531f7690b37dc1b11d1c6d36ce91dea22425742
Link:
https://www.unpac.me/results/942689b6-9d49-4425-ba5a-45d51a3b6544/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5abccf6b1cdcdb5eff6c00de089850a6f81b0813f2afc3b79d4d681defdabf95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5abccf6b1cdcdb5eff6c00de089850a6f81b0813f2afc3b79d4d681defdabf95

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1088411/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127928/

Comments