MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f28b73d46cfd9702df5c1991aad67eff91c69ed2ba9bbc7dc5e14c74168d2ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f28b73d46cfd9702df5c1991aad67eff91c69ed2ba9bbc7dc5e14c74168d2ee
SHA3-384 hash: 70445688ba8d4fa8ad37f61e1c7dc9de6c4221c2019088b8374002d6a3e22caeb51bfa3140f585a0fe5713628a2609af
SHA1 hash: 9a18fa96f0a762aa17b2aedfb173b8fa844ddebd
MD5 hash: 1f848adb44112bc76b1a4f80b53e8f4b
humanhash: texas-salami-november-fillet
File name:SecuriteInfo.com.Trojan.MulDropNET.43.23142.19432
Download: download sample
Signature Amadey
Create hunting rule
File size:946'176 bytes
First seen:2023-08-24 07:27:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:0htcXs14r6d2EnTDsXZyjuHmT3T09jZ1MONmPBtoVGczKz/oI6Z3LXRe6c98alR7:SRVnlhDw1A
TLSH T179155834319D349393794B159A7569C9DB07BE332E22EFCD18BB129D09332635A0B2BD
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.MulDropNET.43.23142.19432
Verdict:
Malicious activity
Analysis date:
2023-08-24 07:28:39 UTC
Tags:
amadey trojan loader fabookie stealer smoke
Link:
https://app.any.run/tasks/8406c2d0-e702-4b9b-940b-f9d21cd4d679

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444414/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.23142.19432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Sending an HTTP GET request
Searching for synchronization primitives
DNS request
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/5f28b73d46cfd9702df5c1991aad67eff91c69ed2ba9bbc7dc5e14c74168d2ee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6386c76-8e1a-4e76-8381-accd9340e2a6
Result
Threat name:
Amadey, Fabookie, Glupteba, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1296424
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample uses string decryption to hide its real strings
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses STUN server to do NAT traversial
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1296424 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 24/08/2023 Architecture: WINDOWS Score: 100 141 cdn.discordapp.com 2->141 189 Snort IDS alert for network traffic 2->189 191 Found malware configuration 2->191 193 Malicious sample detected (through community Yara rule) 2->193 195 17 other signatures 2->195 14 SecuriteInfo.com.Trojan.MulDropNET.43.23142.19432.exe 4 2->14         started        18 svchost.exe 2->18         started        20 oneetx.exe 2->20         started        22 10 other processes 2->22 signatures3 process4 file5 137 C:\Users\user\AppData\Local\Temp\ss41.exe, PE32+ 14->137 dropped 139 C:\Users\user\AppData\Local\...\oldplayer.exe, PE32 14->139 dropped 239 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->239 24 oldplayer.exe 3 14->24         started        28 ss41.exe 14 14->28         started        241 Changes security center settings (notifications, updates, antivirus, firewall) 18->241 signatures6 process7 dnsIp8 131 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 24->131 dropped 211 Antivirus detection for dropped file 24->211 213 Multi AV Scanner detection for dropped file 24->213 215 Machine Learning detection for dropped file 24->215 217 Contains functionality to inject code into remote processes 24->217 31 oneetx.exe 25 24->31         started        143 app.nnnaajjjgc.com 28->143 145 app.nnnaajjjgc.com 154.221.26.108, 49714, 49727, 49744 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 28->145 147 2 other IPs or domains 28->147 133 C:\Users\...\69e8a82c71a2908d7c71d6d3215eee5c, SQLite 28->133 dropped 219 Detected unpacking (creates a PE file in dynamic memory) 28->219 221 Contains functionality to steal Chrome passwords or cookies 28->221 223 Tries to harvest and steal browser information (history, passwords, etc) 28->223 file9 225 Performs DNS TXT record lookups 143->225 signatures10 process11 dnsIp12 149 5.42.65.80, 49709, 49710, 49712 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->149 151 45.66.230.149, 49711, 80 CMCSUS Germany 31->151 113 C:\Users\user\AppData\Local\Temp\...\data.exe, PE32 31->113 dropped 115 C:\Users\user\AppData\Local\...\toolwork.exe, PE32 31->115 dropped 117 C:\Users\user\AppData\Local\...\data[1].exe, PE32 31->117 dropped 119 C:\Users\user\AppData\...\toolwork[1].exe, PE32 31->119 dropped 163 Antivirus detection for dropped file 31->163 165 Multi AV Scanner detection for dropped file 31->165 167 Creates an undocumented autostart registry key 31->167 169 3 other signatures 31->169 36 data.exe 31->36         started        39 toolwork.exe 31->39         started        41 cmd.exe 1 31->41         started        43 schtasks.exe 1 31->43         started        file13 signatures14 process15 signatures16 197 Antivirus detection for dropped file 36->197 199 Detected unpacking (changes PE section rights) 36->199 201 Detected unpacking (overwrites its own PE header) 36->201 207 2 other signatures 36->207 45 data.exe 36->45         started        49 powershell.exe 36->49         started        203 Machine Learning detection for dropped file 39->203 205 Injects a PE file into a foreign processes 39->205 51 toolwork.exe 39->51         started        53 conhost.exe 41->53         started        55 cmd.exe 1 41->55         started        57 cmd.exe 1 41->57         started        61 4 other processes 41->61 59 conhost.exe 43->59         started        process17 file18 135 C:\Windows\rss\csrss.exe, PE32 45->135 dropped 227 Drops executables to the windows directory (C:\Windows) and starts them 45->227 229 Creates an autostart registry key pointing to binary in C:\Windows 45->229 63 csrss.exe 45->63         started        68 cmd.exe 45->68         started        70 powershell.exe 45->70         started        76 2 other processes 45->76 72 conhost.exe 49->72         started        231 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->231 233 Maps a DLL or memory area into another process 51->233 235 Checks if the current machine is a virtual machine (disk enumeration) 51->235 237 Creates a thread in another existing process (thread injection) 51->237 74 explorer.exe 51->74 injected signatures19 process20 dnsIp21 153 server16.zaoshang.ooo 63->153 155 server16.zaoshang.ooo 185.82.216.49, 443, 50059, 50068 ITL-BG Bulgaria 63->155 161 5 other IPs or domains 63->161 121 C:\Windows\windefender.exe, PE32 63->121 dropped 123 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 63->123 dropped 125 C:\Users\...125tQuerySystemInformationHook.dll, PE32+ 63->125 dropped 129 5 other malicious files 63->129 dropped 171 Antivirus detection for dropped file 63->171 173 Detected unpacking (changes PE section rights) 63->173 175 Detected unpacking (overwrites its own PE header) 63->175 177 Machine Learning detection for dropped file 63->177 78 powershell.exe 63->78         started        80 schtasks.exe 63->80         started        82 schtasks.exe 63->82         started        84 powershell.exe 63->84         started        179 Uses netsh to modify the Windows network and firewall settings 68->179 86 netsh.exe 68->86         started        89 conhost.exe 68->89         started        91 conhost.exe 70->91         started        157 host-host-file8.com 194.169.175.250, 49908, 80 CLOUDCOMPUTINGDE Germany 74->157 159 host-file-host6.com 74->159 127 C:\Users\user\AppData\Roaming\wufwfgw, PE32 74->127 dropped 181 System process connects to network (likely due to code injection or exploit) 74->181 183 Benign windows process drops PE files 74->183 185 Hides that the sample has been downloaded from the Internet (zone.identifier) 74->185 93 csrss.exe 74->93         started        95 2 other processes 76->95 file22 187 Uses STUN server to do NAT traversial 153->187 signatures23 process24 signatures25 97 conhost.exe 78->97         started        99 conhost.exe 80->99         started        101 conhost.exe 82->101         started        103 conhost.exe 84->103         started        209 Creates files in the system32 config directory 86->209 105 cmd.exe 93->105         started        process26 process27 107 conhost.exe 105->107         started        109 fodhelper.exe 105->109         started        111 fodhelper.exe 105->111         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f28b73d46cfd9702df5c1991aad67eff91c69ed2ba9bbc7dc5e14c74168d2ee/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-24 07:28:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4ulopkgz7mxalpvygmrvllh574ry2pnfou3xr64lykmoqli2lxa._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:glupteba family:smokeloader botnet:up3 backdoor dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/230824-janbksah44/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Amadey
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
SmokeLoader
Windows security bypass
Malware Config
C2 Extraction:
5.42.65.80/8bmeVwqx/index.php
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
5f28b73d46cfd9702df5c1991aad67eff91c69ed2ba9bbc7dc5e14c74168d2ee
MD5 hash:
1f848adb44112bc76b1a4f80b53e8f4b
SHA1 hash:
9a18fa96f0a762aa17b2aedfb173b8fa844ddebd
Link:
https://www.unpac.me/results/a2e33368-fe83-4dbc-8f17-5c2130f5add9/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f28b73d46cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f28b73d46cfd9702df5c1991aad67eff91c69ed2ba9bbc7dc5e14c74168d2ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5f28b73d46cfd9702df5c1991aad67eff91c69ed2ba9bbc7dc5e14c74168d2ee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2706590/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/444414/

Comments