MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fa5259f186ea249622f17fa179e8b3c9a9cc5928914a8f1cea5a6665af62460. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fa5259f186ea249622f17fa179e8b3c9a9cc5928914a8f1cea5a6665af62460
SHA3-384 hash: cdada8e27218aeba55a75a69b2824a84b8a9ba99f07f4c39d56a78fe5cdb78bcfa00b9d9a8e4841d0821a081396e2864
SHA1 hash: 3f2f7840427ec8a358cd9a6d83c5a704af452f35
MD5 hash: 2563ee29afcbb1fd11ccd5c4434c4902
humanhash: texas-north-muppet-fifteen
File name:3f2f7840427ec8a358cd9a6d83c5a704af452f35.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:360'448 bytes
First seen:2021-05-21 17:35:22 UTC
Last seen:2021-05-21 18:17:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6930eddef69ab61e6824340dff912310 (2 x AZORult, 2 x BitRAT, 1 x Amadey)
ssdeep 6144:vh5BZxMkcUsUzLjroA9C+6tRcKusP3xly4D0yioAlnG0LKVOQpxVe2qm9OdQVqnK:vh5BZxMkcUsUzLjr2RtRGsP3xl54lvlc
Threatray 1'422 similar samples on MalwareBazaar
TLSH 2F74E14FB7A84536E00346712E52ABA4436EF839965ADA07E3816F2D3EF1FC15863317
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://185.215.113.57/1dEr2nYffd/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.57/1dEr2nYffd/index.php https://threatfox.abuse.ch/ioc/53608/

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f2f7840427ec8a358cd9a6d83c5a704af452f35.exe
Verdict:
Malicious activity
Analysis date:
2021-05-21 18:04:49 UTC
Tags:
trojan amadey evasion opendir loader stealer
Link:
https://app.any.run/tasks/ff1723c5-c0b3-47a5-a0e0-d39189b3f1ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/787512
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 419910 Sample: S8Ptb4fECO.exe Startdate: 21/05/2021 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Potential malicious icon found 2->66 68 9 other signatures 2->68 10 S8Ptb4fECO.exe 13 2->10         started        13 blfte.exe 4 2->13         started        15 blfte.exe 4 2->15         started        process3 signatures4 80 Detected unpacking (changes PE section rights) 10->80 82 Detected unpacking (overwrites its own PE header) 10->82 84 Contains functionality to inject code into remote processes 10->84 17 S8Ptb4fECO.exe 4 10->17         started        86 Maps a DLL or memory area into another process 13->86 20 blfte.exe 13->20         started        process5 file6 46 C:\Users\user\AppData\Local\...\blfte.exe, PE32 17->46 dropped 22 blfte.exe 4 17->22         started        process7 signatures8 70 Multi AV Scanner detection for dropped file 22->70 72 Detected unpacking (changes PE section rights) 22->72 74 Detected unpacking (overwrites its own PE header) 22->74 76 4 other signatures 22->76 25 blfte.exe 19 22->25         started        process9 dnsIp10 56 185.215.113.57, 49724, 49725, 49733 WHOLESALECONNECTIONSNL Portugal 25->56 58 iplogger.org 88.99.66.31, 443, 49726, 49727 HETZNER-ASDE Germany 25->58 48 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 25->48 dropped 50 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 25->50 dropped 52 C:\ProgramData\e19b362424bbc4\scr.dll, PE32 25->52 dropped 54 C:\ProgramData\e19b362424bbc4\cred.dll, PE32 25->54 dropped 29 rundll32.exe 25->29         started        33 cmd.exe 1 25->33         started        35 rundll32.exe 1 25->35         started        37 schtasks.exe 1 25->37         started        file11 process12 dnsIp13 60 192.168.2.5, 443, 49557, 49676 unknown unknown 29->60 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->88 90 Tries to steal Instant Messenger accounts or passwords 29->90 92 Tries to steal Mail credentials (via file access) 29->92 94 Tries to harvest and steal ftp login credentials 29->94 39 reg.exe 1 33->39         started        42 conhost.exe 33->42         started        96 System process connects to network (likely due to code injection or exploit) 35->96 44 conhost.exe 37->44         started        signatures14 process15 signatures16 78 Creates an undocumented autostart registry key 39->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fa5259f186ea249622f17fa179e8b3c9a9cc5928914a8f1cea5a6665af62460/
Threat name:
Win32.Downloader.Deyma
Create hunting rule
Status:
Malicious
First seen:
2021-05-17 18:58:27 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6sslhyyn2resyrpc75bphulhsnjzrmsrekkr4oouwtgmwxwerqa._file
Verdict:
suspicious
Similar samples:
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
Amadey
2ca400a06037c9a9ea1e60c1cb577aad185efe8e184f6d44482c480b616d54d7
Amadey
2dc2cf646b7c31af83b7e91b3fabcb0c86cefea53aca57ce7e0d52aa943de13c
Amadey
37ad471d4b3ea1644bb111bacdf6306189214c900ee8882c3b85cab7d5a67351
Amadey
414d612f1134c580046095e37ead026b1c2fbfa31432e1ee662276286983fa24
Amadey
462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6
Amadey
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
Amadey
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
Amadey
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
Amadey
978d1d6690e83f0508a551f8b469159f3d6ac908e081a33f6c9b632e8ab5e433
Amadey
+ 1'412 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan
Link:
https://tria.ge/reports/210521-zwd86y4g5n/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Malware Config
C2 Extraction:
185.215.113.57/1dEr2nYffd/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/5fa5259f186ea249622f17fa179e8b3c9a9cc5928914a8f1cea5a6665af62460

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-21 18:25:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.035] Anti-Behavioral Analysis::Process Environment Block BeingDebugged
1) [B0001.036] Anti-Behavioral Analysis::Process Environment Block NtGlobalFlag
2) [C0031] Cryptography Micro-objective::Decrypt Data
3) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
4) [C0027] Cryptography Micro-objective::Encrypt Data
5) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry