MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa
SHA3-384 hash: 4a0844842362951328e56a2ce0325d021adc474aed86fcbc35a11aedd2207dfeba82a998151d824a06b2e2f1adf56b2c
SHA1 hash: 70ad839d8287300264279c8246e89b52cba92f66
MD5 hash: 801319c3a5b08bffa1007c1b31e9bad7
humanhash: bakerloo-ink-vermont-venus
File name:SecuriteInfo.com.Variant.Graftor.769271.19443.2387
Download: download sample
Signature Amadey
Create hunting rule
File size:1'392'640 bytes
First seen:2024-01-18 01:41:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc5d3d653af3c3decf6e755f0007c4f6 (11 x Amadey, 1 x LummaStealer)
ssdeep 24576:K/xQ2dk2tdfjWKqo/ACUOrxehcCAb3dyaI+asia71eldsY6RcrBO3boEyFo:Tik2ttWHoYn0xnCAb3dg+RBeiYnrB+bM
TLSH T1BD553388B5C1C67AE13DF7F47720D97021701F6DD059982CBAF68189C2DF5E6D8A2B06
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa.exe
Verdict:
Malicious activity
Analysis date:
2024-01-18 01:43:16 UTC
Tags:
amadey botnet stealer redline loader stealc fabookie smoke smokeloader
Link:
https://app.any.run/tasks/578c5059-646a-4aea-b284-d416675095f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/471392/
Detection(s):
SecuriteInfo.com.Variant.Graftor.769271.19443.2387.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin masquerade obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/65a881eb2d57b697a60fe9f7/reports/4311d672-519d-4140-b26a-33222a119de0/overview
Verdict:
Malicious
Labled as:
Graftor.Generic
Link:
https://www.hybrid-analysis.com/sample/5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0408ef4e-d8ce-472c-8ba7-d6375484e1cc
Result
Threat name:
Amadey, Fabookie, Glupteba, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1376456
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1376456 Sample: SecuriteInfo.com.Variant.Gr... Startdate: 18/01/2024 Architecture: WINDOWS Score: 100 140 www.aorp.org.br 2->140 142 trad-einmyus.com 2->142 144 26 other IPs or domains 2->144 176 Snort IDS alert for network traffic 2->176 178 Multi AV Scanner detection for domain / URL 2->178 180 Found malware configuration 2->180 182 27 other signatures 2->182 12 SecuriteInfo.com.Variant.Graftor.769271.19443.2387.exe 5 2->12         started        16 explorhe.exe 2->16         started        18 explorhe.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 104 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 12->104 dropped 216 Detected unpacking (changes PE section rights) 12->216 218 Hides threads from debuggers 12->218 22 explorhe.exe 53 12->22         started        27 WerFault.exe 20->27         started        signatures6 process7 dnsIp8 150 185.215.113.68, 49705, 49706, 49708 WHOLESALECONNECTIONSNL Portugal 22->150 152 aorp.org.br 192.185.223.216, 443, 49707 UNIFIEDLAYER-AS-1US United States 22->152 154 2 other IPs or domains 22->154 86 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 22->86 dropped 88 C:\Users\user\...\SetupPowerGREPDemo.exe, PE32+ 22->88 dropped 90 C:\Users\user\AppData\Local\Temp\...\data.exe, PE32 22->90 dropped 92 23 other malicious files 22->92 dropped 184 Multi AV Scanner detection for dropped file 22->184 186 Detected unpacking (changes PE section rights) 22->186 188 Creates an undocumented autostart registry key 22->188 190 3 other signatures 22->190 29 latestrocki.exe 22->29         started        33 Rdx1.exe 1 22->33         started        35 flesh.exe 22->35         started        38 8 other processes 22->38 file9 signatures10 process11 dnsIp12 106 C:\Users\user\AppData\Local\...\toolspub1.exe, PE32 29->106 dropped 108 C:\Users\user\AppData\Local\Temp\rty25.exe, PE32+ 29->108 dropped 110 C:\Users\user\AppData\...\InstallSetup7.exe, PE32 29->110 dropped 112 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 29->112 dropped 220 Multi AV Scanner detection for dropped file 29->220 40 InstallSetup7.exe 29->40         started        45 toolspub1.exe 29->45         started        47 31839b57a4f11171d6abc8bbc4451ee4.exe 29->47         started        49 rty25.exe 29->49         started        222 Found many strings related to Crypto-Wallets (likely being stolen) 33->222 224 Contains functionality to inject code into remote processes 33->224 226 Writes to foreign memory regions 33->226 242 2 other signatures 33->242 51 RegAsm.exe 8 4 33->51         started        53 RegAsm.exe 33->53         started        146 5.42.65.31 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 35->146 114 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 35->114 dropped 228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->228 230 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->230 232 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->232 55 qemu-ga.exe 35->55         started        148 195.20.16.103 EITADAT-ASFI Finland 38->148 116 C:\Users\user\jsesnldTaYPHTXk.pdf, PE32 38->116 dropped 118 C:\Users\user\SdyLefZdGCnLXaH.pdf, PE32 38->118 dropped 120 C:\Users\user\AppData\...\ms_updater.exe, PE32 38->120 dropped 122 2 other malicious files 38->122 dropped 234 System process connects to network (likely due to code injection or exploit) 38->234 236 Drops PE files to the user root directory 38->236 238 Tries to harvest and steal browser information (history, passwords, etc) 38->238 240 Sample uses process hollowing technique 38->240 57 ms_updater.exe 38->57         started        59 3 other processes 38->59 file13 signatures14 process15 dnsIp16 156 185.172.128.53 NADYMSS-ASRU Russian Federation 40->156 158 185.172.128.90 NADYMSS-ASRU Russian Federation 40->158 94 C:\Users\user\AppData\Local\...\nsx582B.tmp, PE32 40->94 dropped 96 C:\Users\user\AppData\Local\...\INetC.dll, PE32 40->96 dropped 98 C:\Users\user\AppData\...\BroomSetup.exe, PE32 40->98 dropped 100 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 40->100 dropped 192 Multi AV Scanner detection for dropped file 40->192 61 nsx582B.tmp 40->61         started        66 BroomSetup.exe 40->66         started        194 Detected unpacking (changes PE section rights) 45->194 196 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->196 198 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->198 214 3 other signatures 45->214 68 explorer.exe 45->68 injected 200 Detected unpacking (overwrites its own PE header) 47->200 202 Found Tor onion address 47->202 70 powershell.exe 47->70         started        72 31839b57a4f11171d6abc8bbc4451ee4.exe 47->72         started        74 WerFault.exe 47->74         started        160 i.alie3ksgaa.com 154.92.15.189 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 49->160 102 C:\Users\...\d41fbd207533a39c6368349e618b4a39, SQLite 49->102 dropped 204 Tries to harvest and steal browser information (history, passwords, etc) 49->204 162 141.95.211.148, 46011, 49711 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 51->162 206 Found many strings related to Crypto-Wallets (likely being stolen) 51->206 208 Tries to steal Crypto Currency Wallets 51->208 164 94.156.65.198 TERASYST-ASBG Bulgaria 57->164 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->210 212 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 57->212 166 20.79.30.95 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->166 file17 signatures18 process19 dnsIp20 168 185.172.128.79 NADYMSS-ASRU Russian Federation 61->168 124 C:\Users\user\AppData\...\softokn3[1].dll, PE32 61->124 dropped 126 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 61->126 dropped 128 C:\Users\user\AppData\...\mozglue[1].dll, PE32 61->128 dropped 136 9 other files (5 malicious) 61->136 dropped 244 Multi AV Scanner detection for dropped file 61->244 246 Detected unpacking (changes PE section rights) 61->246 248 Detected unpacking (overwrites its own PE header) 61->248 256 5 other signatures 61->256 76 cmd.exe 66->76         started        170 45.15.156.13 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 68->170 172 146.0.41.68 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 68->172 174 7 other IPs or domains 68->174 130 C:\Users\user\AppData\Roaming\ireafgr, PE32 68->130 dropped 132 C:\Users\user\AppData\Local\Temp\FD03.exe, PE32 68->132 dropped 134 C:\Users\user\AppData\Local\Temp\9FCE.exe, PE32 68->134 dropped 138 5 other malicious files 68->138 dropped 250 System process connects to network (likely due to code injection or exploit) 68->250 252 Benign windows process drops PE files 68->252 254 Hides that the sample has been downloaded from the Internet (zone.identifier) 68->254 78 conhost.exe 70->78         started        file21 signatures22 process23 process24 80 conhost.exe 76->80         started        82 chcp.com 76->82         started        84 schtasks.exe 76->84         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-18 01:42:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5hgvwpubhay62igigobg66io5g2ngfgw4kyihzumsmknsu6pova._file
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240118-b4nv7sadcj/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa
MD5 hash:
801319c3a5b08bffa1007c1b31e9bad7
SHA1 hash:
70ad839d8287300264279c8246e89b52cba92f66
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/95715863-dd3e-4627-8922-e10eb07e2e07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5f4e6ad9f409c18f6906419c137bc8774da698a6b715841f346498a6ca9e7baa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2749106/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471392/

Comments