MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2
SHA3-384 hash: 7d097336e32924dae04f4f4cd4395369a37a5a5c8059263b647dcce9554876e091643e770e61b087f7af1cd0109c6fb2
SHA1 hash: 11051c4a389238fe7e2202cb506a6f23cfa6bfa4
MD5 hash: 38b5deb16f9cd877a6a7ca7c7434b5ea
humanhash: black-mississippi-oregon-solar
File name:Setup.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:391'168 bytes
First seen:2022-05-17 15:00:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0328a7958ec44d4b27f5ea8928c8e8f5 (4 x RedLineStealer, 1 x Amadey, 1 x Smoke Loader)
ssdeep 6144:fEIgOuHyMWtqjWI3HB4kb6yWy4VC6PzDdS9CPxUFu4fwFupfDeoXC:fEItQWYiIXB4kb6PCYE26fv
Threatray 1'022 similar samples on MalwareBazaar
TLSH T1CD848D00B760D434F1B7D6F5497A82A8B62ABEE15B2491CF53D5BAEE56346D0EC3030B
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter JaffaCakes118
Tags:Amadey exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.182:15304 https://threatfox.abuse.ch/ioc/579232/
109.107.174.10:1702 https://threatfox.abuse.ch/ioc/583354/

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-05-17 15:00:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a817e82e-fe1b-4834-ab44-abd0ab0ad795

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/271675/
Detection(s):
Win.Packed.Generic-9950062-0
Create hunting rule

Win.Dropper.Stopcrypt-9950158-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18364/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6283b8dffd71ca8b2eeb48d7/reports/dfefd80b-36eb-4398-9c51-1f85e94875bf/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b4486b5-fb5a-46f9-a1ab-3f2e9d96c224
Result
Threat name:
Nymaim, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995965
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 628463 Sample: Setup.exe Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 59 toa.mygametoa.com 2->59 61 telegram.org 2->61 63 2 other IPs or domains 2->63 101 Snort IDS alert for network traffic 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 22 other signatures 2->107 8 Setup.exe 4 86 2->8         started        signatures3 process4 dnsIp5 65 212.193.30.21, 49759, 49778, 49841 SPD-NETTR Russian Federation 8->65 67 212.193.30.45, 49746, 49840, 80 SPD-NETTR Russian Federation 8->67 69 12 other IPs or domains 8->69 29 C:\Users\...\utPvijGVZsAFXOxkl7lU0Dek.exe, PE32 8->29 dropped 31 C:\Users\...\qTUbYOFbzpbQ1LZXiOcFavP7.exe, PE32 8->31 dropped 33 C:\Users\...\ohCIF2RvilcN7BsLzDYAkIFJ.exe, PE32 8->33 dropped 35 35 other files (15 malicious) 8->35 dropped 109 May check the online IP address of the machine 8->109 111 Creates HTML files with .exe extension (expired dropper behavior) 8->111 113 Disable Windows Defender real time protection (registry) 8->113 13 YP8gdB9qRs6GAS0M2RnFBy3m.exe 17 8->13         started        17 ohCIF2RvilcN7BsLzDYAkIFJ.exe 8->17         started        20 qTUbYOFbzpbQ1LZXiOcFavP7.exe 8->20         started        22 7 other processes 8->22 file6 signatures7 process8 dnsIp9 77 t.me 149.154.167.99, 443, 49839 TELEGRAMRU United Kingdom 13->77 79 telegram.org 13->79 81 ipinfo.io 13->81 45 C:\Users\...\bamFsSXYVyYN8LnhE5rJTvzS.exe, PE32 13->45 dropped 47 C:\Users\user\AppData\Local\...\WW14[1].bmp, PE32 13->47 dropped 49 C:\...\PowerControl_Svc.exe, PE32 13->49 dropped 24 bamFsSXYVyYN8LnhE5rJTvzS.exe 13->24         started        89 Writes to foreign memory regions 17->89 91 Allocates memory in foreign processes 17->91 93 Injects a PE file into a foreign processes 17->93 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->95 97 Checks if the current machine is a virtual machine (disk enumeration) 20->97 83 95.217.244.73 HETZNER-ASDE Germany 22->83 85 memorial.asvp.org.br 186.202.153.98 LocawebServicosdeInternetSABR Brazil 22->85 87 tiny.one 188.114.97.10 CLOUDFLARENETUS European Union 22->87 51 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 22->51 dropped 53 C:\ProgramData\vcruntime140.dll, PE32 22->53 dropped 55 C:\ProgramData\softokn3.dll, PE32 22->55 dropped 57 4 other files (none is malicious) 22->57 dropped 99 Tries to harvest and steal browser information (history, passwords, etc) 22->99 file10 signatures11 process12 dnsIp13 71 5kdfbjghdf5.monster 24->71 73 5kdfbjghdf5.monster 188.72.236.239 WEBZILLANL Netherlands 24->73 75 6 other IPs or domains 24->75 37 C:\Users\...\3G0ub5yInRHKldLatDOMSJP1.exe, PE32 24->37 dropped 39 C:\Users\user\...39iceProcessX64[1].bmp, PE32+ 24->39 dropped 41 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 24->41 dropped 43 9 other files (2 malicious) 24->43 dropped 115 Antivirus detection for dropped file 24->115 117 May check the online IP address of the machine 24->117 119 Performs DNS queries to domains with low reputation 24->119 121 Tries to harvest and steal browser information (history, passwords, etc) 24->121 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-05-17 15:01:06 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lojndwgb34gmijmrxqc4wyrtdiupktrvm3dqrkh5coyazn3iqhba._file
Verdict:
malicious
Similar samples:
0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f
Amadey
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
Amadey
a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
Amadey
a5453a830d01639ad537320c94e68565341328c872a8f2d3456221a0bec6f3e9
Amadey
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
Amadey
e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061
Amadey
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
Amadey
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
Amadey
+ 1'012 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer suricata trojan
Link:
https://tria.ge/reports/220517-sdvdqsgdan/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Unpacked files
SH256 hash:
eaac934eb8c0d46762dcfe0aacc02969ea1514f31ada9f4d5849da0518d0f725
MD5 hash:
923b24e40767143bbcdb6450e77353bc
SHA1 hash:
f9437a36bb01a0d9cd668ef2669bb3b627fd4116
Link:
https://www.unpac.me/results/3b8b2302-0343-4b22-8f18-8ae1031d5f1b/
SH256 hash:
5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2
MD5 hash:
38b5deb16f9cd877a6a7ca7c7434b5ea
SHA1 hash:
11051c4a389238fe7e2202cb506a6f23cfa6bfa4
Link:
https://www.unpac.me/results/3b8b2302-0343-4b22-8f18-8ae1031d5f1b/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b92d1d8c1df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/271675/

Comments