MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 15

Intelligence 15 IOCs YARA 13 File information Comments 1

SHA256 hash:	5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7
SHA3-384 hash:	ee86ad3e70101ebd7ac176502305941637855b71b97ebfb398f0c0bd425f98be6ac0cde5b13df14952685090e9718aa2
SHA1 hash:	4011c6ad06cf1be487e9f1bf293a278e480920fa
MD5 hash:	b9c3c735a3d1eae297ca362bee3393ef
humanhash:	item-early-texas-comet
File name:	b9c3c735a3d1eae297ca362bee3393ef
Download:	download sample
Signature	Amadey Create hunting rule
File size:	3'269'632 bytes
First seen:	2024-03-18 07:12:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	49152:ORG+vntX/MnSttuawC44f/q+XTXqV7FCDuC7wEMw5wozXnlni8RYaJ5fJ4DYXZdN:275h5Lbndfyanx4EpuoZ
Threatray	167 similar samples on MalwareBazaar
TLSH	T140E5D02857E85A06F6FBBB7A99F9A0518EB6FC77FA35E74D1080151E4432B428C80737
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	zbetcheckin
Tags:	32 Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

422

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7.exe

Verdict:

Malicious activity

Analysis date:

2024-03-18 07:37:43 UTC

Tags:

amadey botnet stealer

Link:

https://app.any.run/tasks/3aa8fcf1-2055-43c9-8bdd-e821ee61d233

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Win.Packed.Msilheracles-10017859-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Connection attempt to an infection source

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Sending an HTTP GET request

Forced system process termination

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin obfuscated packed packed remote smartassembly smart_assembly

Link:

https://www.filescan.io/uploads/65f7e9825cd908a33db7a46f/reports/6466dd35-451e-44ba-9e17-53fc012f68e8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cd16ec80-f4c5-43e0-b681-ebfe0284e9f8

Result

Threat name:

Amadey, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1410635

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7/

Threat name:

Win32.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2024-03-17 17:06:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l3pwq3tem4umicura7a7vpkspzogyk7rvrxmomtp4574wgpdlk3q._file

Verdict:

malicious

Amadey

4b4ca1dd5aeba2b42668b3b6fb98335f0a7d159d6db73da34f1060e0a917fee1

Amadey

5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7

Amadey

6f4297025fa48f5f412dd305ba5a03560c1ee83e32e94a461b788c3b42575155

Amadey

71f7d548c9ea57b8c9dcc3f426adabdddb4451e65837b63c4c25dc2a812717e2

Amadey

90f43f41f50f5c7f266f9353d21c3733468bad8644be318d48568415a6d9b89b

Amadey

c3ebf4be0b4811457b9e366c08c5543ae9904dc028417aa378095ca9c8036984

Amadey

+ 157 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:amadey family:zgrat persistence rat trojan

Link:

https://tria.ge/reports/240318-h13zaabh3x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Amadey

Detect ZGRat V1

ZGRat

Malware Config

C2 Extraction:

http://ruspyc.top

Unpacked files

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/b76e8849-9887-4320-9186-52e4cc9a4df3/

SH256 hash:

4aff76dbf54311f2bcf0b6814f26d3c558061fd4b3c360b83c4e6bb2df3f6dc7

MD5 hash:

1796c588eaac8165d0977ea613deced2

SHA1 hash:

2dc34d0596ebfb2f750dd65fd71e4b8c4777300b

Detections:

win_amadey_auto

win_amadey

Link:

https://www.unpac.me/results/b76e8849-9887-4320-9186-52e4cc9a4df3/

Parent samples :

5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254

SH256 hash:

b43d27f578d59bba9ca1eae68faaa2a90aa0bdc57acc6d5d55155890644c3648

MD5 hash:

fa15004d147fed7c849f67c580e549c4

SHA1 hash:

2bc58836600a6a52a8109431b0e71f427baf9f4c

Link:

https://www.unpac.me/results/b76e8849-9887-4320-9186-52e4cc9a4df3/

SH256 hash:

72d841ae4d911880674a01f1767224fc1ab9fbacd659fc614e2ec2ebaa3d57f7

MD5 hash:

dba40dff863631bb8fa159be3b40e98f

SHA1 hash:

2a8f3e32b03b3ebd55d2b90518d437c2fabe1efc

Link:

https://www.unpac.me/results/b76e8849-9887-4320-9186-52e4cc9a4df3/

SH256 hash:

fa6aeda639381ff8724dddccbf25bb8490cc0aa52e2aadde7e0faa454c7f920e

MD5 hash:

04a80b6482a1d061b1506ad8256a60e7

SHA1 hash:

12706245d9802d9091c518de195d9560dd81acc4

Link:

https://www.unpac.me/results/b76e8849-9887-4320-9186-52e4cc9a4df3/

SH256 hash:

40b8d90585d9a304b609bf0c1dee89060575781f4163a60338f5f391b32836f5

MD5 hash:

bd911eae8932957cf3eeb3b9a8cc0d64

SHA1 hash:

006388c825f9475c9c3e9f78bd5805b0fe915b83

Link:

https://www.unpac.me/results/b76e8849-9887-4320-9186-52e4cc9a4df3/

SH256 hash:

5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7

MD5 hash:

b9c3c735a3d1eae297ca362bee3393ef

SHA1 hash:

4011c6ad06cf1be487e9f1bf293a278e480920fa

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/b76e8849-9887-4320-9186-52e4cc9a4df3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Amadey Create hunting rule
Author:	kevoreilly
Description:	Amadey Payload

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Generic_Threat_bd24be68 Create hunting rule
Author:	Elastic Security

Rule name:	win_amadey_a9f4 Create hunting rule
Author:	Johannes Bader
Description:	matches unpacked Amadey samples

Rule name:	win_amadey_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.amadey.

Rule name:	win_amadey_bytecodes_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects bytecodes present in Amadey Bot malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe 5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2785518/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-03-18 07:12:32 UTC

url : hxxp://193.233.132.167/lend/Ama2.exe