MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65
SHA3-384 hash: 7d0073f7fbabcdb109d11880811497b765e1b410ae012787527f867fa5afdb4894df42726b860e290b50cfd54224dab3
SHA1 hash: 4d0032f6e4519b2d0fa431a815c096b8043ac4f0
MD5 hash: 07f3255d8027aa07ae9f3ef4dfa3c19a
humanhash: chicken-hotel-wolfram-bravo
File name:07f3255d8027aa07ae9f3ef4dfa3c19a.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:989'913 bytes
First seen:2023-06-21 17:20:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:7jMPHYYxLyeU0b/ZOsIu1kRz0WkZLhXxRb1L7PkPXZ3wQcIKPBz6VXclRM6f3tya:fMP3XjvIpOLdRPIiL5
Threatray 2'007 similar samples on MalwareBazaar
TLSH T1B325CDDD765071DFC85BC4729EA82C64FA60B47B831B5203A42766EEAE4D897CF140F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
89.23.101.91:1487

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
07f3255d8027aa07ae9f3ef4dfa3c19a.exe
Verdict:
Malicious activity
Analysis date:
2023-06-21 17:22:28 UTC
Tags:
amadey trojan rat redline loader
Link:
https://app.any.run/tasks/aa2598bf-5d97-4862-b3ba-2451dd1241f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401475/
Detection(s):
Win.Malware.Trojanx-9862538-0
Create hunting rule

Win.Dropper.DarkKomet-9996788-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex overlay packed packed
Link:
https://www.filescan.io/uploads/6493317f99f0c0cb09334851/reports/a6989028-f970-4c25-b3c6-8bcd8e792b9d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23409895-7467-4d22-a9b2-056ee89aaf17
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259214
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 892234 Sample: IHUec9ljdL.exe Startdate: 21/06/2023 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 16 other signatures 2->99 10 IHUec9ljdL.exe 1 2->10         started        14 legends.exe 2->14         started        16 legends.exe 2->16         started        18 3 other processes 2->18 process3 file4 73 C:\Users\user\AppData\...\IHUec9ljdL.exe.log, CSV 10->73 dropped 103 Contains functionality to inject code into remote processes 10->103 105 Injects a PE file into a foreign processes 10->105 20 IHUec9ljdL.exe 4 10->20         started        23 IHUec9ljdL.exe 10->23         started        25 legends.exe 14->25         started        27 legends.exe 16->27         started        29 legends.exe 18->29         started        31 legends.exe 18->31         started        signatures5 process6 file7 61 C:\Users\user\AppData\Local\...\legends.exe, PE32 20->61 dropped 63 C:\Users\user\...\legends.exe:Zone.Identifier, ASCII 20->63 dropped 33 legends.exe 1 20->33         started        36 WMIADAP.exe 20->36         started        process8 signatures9 85 Antivirus detection for dropped file 33->85 87 Multi AV Scanner detection for dropped file 33->87 89 Machine Learning detection for dropped file 33->89 91 2 other signatures 33->91 38 legends.exe 30 33->38         started        process10 dnsIp11 75 95.214.27.98, 49708, 49709, 49710 CMCSUS Germany 38->75 65 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 38->65 dropped 67 C:\Users\user\AppData\Local\...\Builddd.exe, PE32 38->67 dropped 69 C:\Users\user\AppData\Local\...\rocket.exe, PE32 38->69 dropped 71 7 other malicious files 38->71 dropped 101 Creates an undocumented autostart registry key 38->101 43 Builddd.exe 38->43         started        47 rocket.exe 38->47         started        49 100K.exe 38->49         started        51 4 other processes 38->51 file12 signatures13 process14 dnsIp15 77 89.23.101.91, 1487, 49910 MAXITEL-ASRU Russian Federation 43->77 107 Antivirus detection for dropped file 43->107 109 Multi AV Scanner detection for dropped file 43->109 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->111 113 Tries to harvest and steal browser information (history, passwords, etc) 43->113 79 94.142.138.212, 26540, 49893 IHOR-ASRU Russian Federation 47->79 115 Machine Learning detection for dropped file 47->115 117 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->117 119 Tries to steal Crypto Currency Wallets 47->119 81 149.202.0.245, 44897, 49859 OVHFR France 49->81 83 i.ibb.co 162.19.58.161, 443, 49716 CENTURYLINK-US-LEGACY-QWESTUS United States 51->83 121 Contains functionality to modify clipboard data 51->121 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->123 53 conhost.exe 51->53         started        55 conhost.exe 51->55         started        57 cmd.exe 1 51->57         started        59 5 other processes 51->59 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-06-04 22:47:32 UTC
File Type:
PE (.Net Exe)
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5q7gvd7de3o66a6plh3siqfci5p7erc5oeb54npd5375ybjr5sq._file
Verdict:
malicious
Similar samples:
0f91f82218d734d2f86b6a1fa0b6c8743e031caf1ce6481e138201309eaf224f
Amadey
127331248be3658c2f1156be9b8df2462ae511a94f73d3251f76ff294424b2cb
Amadey
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
Amadey
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
Amadey
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
Amadey
8c6d489d8ecdd838af163fa9d7dca54122213cb7344e14496966c69e707f556c
Amadey
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
Amadey
e6270068394194d400ccb6422ccaa72da89179294525d6aa0c615bd1519d685d
Amadey
f984811ca20f0022a21840ccd29a68b8a39d44569b4ecdb9634405e4f404af57
Amadey
fda782d36cbd967d0c3f037110e2419d4676af0a089648fb8c6f8656e97fdb83
Amadey
+ 1'997 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:@newredlinevip cloud (tg: @fatherofcarders) botnet:bart_simpson_bartik botnet:rocketpro discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230621-vwzghsaf38/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
RedLine
Malware Config
C2 Extraction:
95.214.27.98/cronus/index.php
149.202.0.245:44897
94.142.138.212:26540
89.23.101.91:1487
Unpacked files
SH256 hash:
f4118141f772d469066b1285f99e2cfd940f20677683b89ba85c8b44ec98c3b6
MD5 hash:
8b0aced39e275f156c6936c73000549b
SHA1 hash:
5657c526c8224cb4e93c24b396a07f8eac7ff5f2
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/393ce206-9c95-4678-8fd2-222475ebc2f4/
Parent samples :
44c3a8da0ab137fdd6abd7cfb31627364b6b7610d0e3dd9604b03cc80d4f537b
d55f720efd4af3475edb05cafeda438cfd8dbd71366da7b187ba2c954258b5ce
813ce0745e3eb323b9c8371f145f33feacb64471b8fcf03f39dbd3ff25564774
56317cdb9e3688fb9c7bcd37f5ef6c435e5d06a64d46c35dfe92a92821750fc1
c7d060c9074cca55e9e04d61d0caf3dd9934b45dedd890ad5a3208022a35425e
cbe41193bc11dca56d056b7eb34b0691768e42f53d78750d6efeb9d28143ba5e
bcebcb224dbe8bd0777174ae719cb70657a7feb1a19207098bd84d3209da5d49
bd1260616f7472d2f310cc65cb4701746b499d943a7a5fa4c01f7fe0a4ddc304
bd57c9f6dadc4c62d7208db52f903c29aea6ff09f400cfa75a9851cc1aea427f
bf6596759ea62723d53032294de97c753fa51b46db9b49ff16cf14bdbef671f4
c046a3ab7b078de30ac65626becc7ed08f88c78aa94b0073f5d857d394edb9d3
c1ee5908dd2d0273bb18b08f0dcabe2a4614d894d69e81420a565be0f0c69ab0
c347081ec0d10ba6c004ccfc0fcad5b3e8f18c3dd03db909763f8558faec9f92
c46e12e7a08cfd17858543a034ae370ec8d3568c99e92d50913af07b365ca804
c62650b32d272546189183d4fe29418d58772a33c686a483589f03c2eb5ee2ef
c865344a337f66669c895acfc0d7aba9cf3d3998eb9cbb5c9825aa33d749f887
c91b34e20d6e23a75ce79c51bd6536f0366b759730476b0d6fdd2346efa04839
cb44d697cd120c0f9098e0b9b7faf2f5f67d5f426dfb225db47ee62684e45443
cc518ef8ab82d3cba40b797a5f6eacf36e7adae85589bb19de6a7e4687c2c119
ccb7d56726bf4f0ca6e15a21e49f35795cc56c101f4fb73e81f92e5d359c383f
d163b94088173bed10583e7faaa1213414dc07bc191560258eec01752edb87f2
d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52
d4dc7c680d5f51c46cf9e481bb985983751568bff4e7ce9dec1ad4367456862d
d4f7cf3a18686482f4f291c5a6fea4167e94a8bdaddd123a7998eff4c684c90b
d685952efbbd0aaf4155529b459c57cd3dd1d175419fa85fe4c2a4d7163fde45
d6860a6523e88ee8f973f45731e45b66902188f9ebea7debbcbbf9e1081e5b91
d89994b944d7f411b207f0d39b39f5310b6c8bae77561fb48a30c71449fc559c
dc0d7d5fba6ac5cf9a83f5ad5c5519c3a622cd2aea74324a6a26c4b60cfb14d9
dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6
e03a9e1e1776e4b867750ce2fedb93d2cea0b843b570e62839c16e451a8ca9bc
e196972679d31597c23fd5d24d6cf341abf8a8c5d3ad5c7b677d81db11f54377
e1c1f35c0befb6a2e46e18b28ad1f0b9dcf963706aa0d78e26e2aa76fc93c65f
e2ced1a635687dbe9b4ba8643db8c072696b952bc51310dc1e33b776b5651233
e3e82c868b618e76a560f315097bf6fe9ba10c909abb1b51aad942a16a9c525b
e72524b767d99a436abbea479aadcb7588c1e7e498955432aca2a54344f7093a
e8746a37d1389b3c1d722c790501d9e5f9a8c94af218dccceb17eaae05975bde
ec2d066e99962a25f3db7a6f839c5bab2b090889be6f30406bad596e0eddbff3
ed571035b1c4cf8101e899022e35ded1ef5b84459d1f3c2be7f5d37a7b3781e3
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139
f67f0dbce979330570d7cd60dea97c59919c3496b09c4485a2ad2c1fe9f04ccd
fd9ba5fdb9c7a11812ef8aed5ef7afda54bed718c57f83e2dc39463348594c2c
fe2b1b0feaa71d353720ba9872a3f74979194d47214457ae430d6e5a4104b8ad
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf
5186b8b15914efa186c1d5141a15b8fe6a5dce062583cc0c17e839dd170f011d
412bd8c4546d08c9c75382080465565edbddc407221934823da9bf4ff123d115
ce9782e93e8f68a9cf4b8b810707e1e03dcca7f0f20468c16262a04aafe0d238
1c5177fb42c882a050c42f17c50369c995afd1e508e625408b56808add5d7379
ac15e8a71bd22b0baa16d9e4b221ce5b35350131eadb5a05f06c40983becbe9b
7a9aa6351156d2fc4db012247c813ead641df257369e140e040e3cea95233c31
b56eca4a9950a689b2946758f15c2911b865a1f06b73439f67d5de6d9ca601ca
5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65
SH256 hash:
5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65
MD5 hash:
07f3255d8027aa07ae9f3ef4dfa3c19a
SHA1 hash:
4d0032f6e4519b2d0fa431a815c096b8043ac4f0
Link:
https://www.unpac.me/results/393ce206-9c95-4678-8fd2-222475ebc2f4/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f61f3547f19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f61f3547f1936ef781e7acfb92205123aff9222eb881ef1af1f77fee0298f65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401475/

Comments