MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f
SHA3-384 hash: e93d374093851c06e6482b7e13bfd32148d89ec059b7fb64361be343f5d0970af829dcb906a7dce9d24d9555fa809f35
SHA1 hash: f418fe0bbab6fb438ab6161ff48bf8a1b6e658d0
MD5 hash: a87a642531553dc63467b188e7630b87
humanhash: hotel-uranus-lemon-six
File name:a87a642531553dc63467b188e7630b87.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:887'808 bytes
First seen:2023-09-30 01:15:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:XyXb3ZBbDTQvAvSFItVQCsBGZNeIGl1yM:ilBLzLtVHsBGjXWy
Threatray 819 similar samples on MalwareBazaar
TLSH T1EA152313A7D98177C6B64B7044FB064B2F327DE2193547AA63526C8E0C735C8EA7633A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://77.91.124.1/theme/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452128/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
DNS request
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/651776d332ffdb7a7a19a2c8/reports/386a7f5c-5b96-4e81-b77c-e279402c5534/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb4bfd41-e0aa-40b6-9c81-ffc3657b9ed0
Result
Threat name:
Amadey, Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317004
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317004 Sample: dL3ySr3thq.exe Startdate: 30/09/2023 Architecture: WINDOWS Score: 100 122 Snort IDS alert for network traffic 2->122 124 Multi AV Scanner detection for domain / URL 2->124 126 Found malware configuration 2->126 128 15 other signatures 2->128 11 dL3ySr3thq.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 explothe.exe 2->16         started        18 2 other processes 2->18 process3 file4 94 C:\Users\user\AppData\Local\...\z2615722.exe, PE32 11->94 dropped 96 C:\Users\user\AppData\Local\...\w3230159.exe, PE32 11->96 dropped 20 z2615722.exe 1 4 11->20         started        process5 file6 84 C:\Users\user\AppData\Local\...\z7422903.exe, PE32 20->84 dropped 86 C:\Users\user\AppData\Local\...\u8483886.exe, PE32 20->86 dropped 130 Antivirus detection for dropped file 20->130 132 Machine Learning detection for dropped file 20->132 24 z7422903.exe 1 4 20->24         started        28 u8483886.exe 20->28         started        signatures7 process8 file9 88 C:\Users\user\AppData\Local\...\z1419150.exe, PE32 24->88 dropped 90 C:\Users\user\AppData\Local\...\t6397499.exe, PE32 24->90 dropped 158 Antivirus detection for dropped file 24->158 160 Machine Learning detection for dropped file 24->160 30 z1419150.exe 1 4 24->30         started        34 t6397499.exe 24->34         started        92 C:\Users\user\AppData\Local\...\legota.exe, PE32 28->92 dropped 162 Multi AV Scanner detection for dropped file 28->162 36 legota.exe 28->36         started        signatures10 process11 dnsIp12 102 C:\Users\user\AppData\Local\...\s3219707.exe, PE32 30->102 dropped 104 C:\Users\user\AppData\Local\...\r0007021.exe, PE32 30->104 dropped 164 Machine Learning detection for dropped file 30->164 39 r0007021.exe 1 30->39         started        42 s3219707.exe 1 30->42         started        106 C:\Users\user\AppData\Local\...\explothe.exe, PE32 34->106 dropped 166 Antivirus detection for dropped file 34->166 168 Multi AV Scanner detection for dropped file 34->168 44 explothe.exe 34->44         started        112 77.91.68.78, 49813, 49814, 49816 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 36->112 108 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 36->108 dropped 110 C:\Users\user\AppData\Local\...\clip64[2].dll, PE32 36->110 dropped 48 cmd.exe 36->48         started        50 schtasks.exe 36->50         started        52 rundll32.exe 36->52         started        file13 signatures14 process15 dnsIp16 134 Machine Learning detection for dropped file 39->134 136 Contains functionality to inject code into remote processes 39->136 138 Writes to foreign memory regions 39->138 54 AppLaunch.exe 13 39->54         started        68 2 other processes 39->68 140 Allocates memory in foreign processes 42->140 142 Injects a PE file into a foreign processes 42->142 58 AppLaunch.exe 4 42->58         started        70 4 other processes 42->70 118 77.91.124.1, 49810, 49811, 49812 ECOTEL-ASRU Russian Federation 44->118 120 192.168.2.1 unknown unknown 44->120 98 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 44->98 dropped 100 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 44->100 dropped 144 Antivirus detection for dropped file 44->144 146 Multi AV Scanner detection for dropped file 44->146 148 Creates an undocumented autostart registry key 44->148 150 Uses schtasks.exe or at.exe to add and modify task schedules 44->150 60 cmd.exe 44->60         started        62 schtasks.exe 44->62         started        64 rundll32.exe 44->64         started        72 7 other processes 48->72 66 conhost.exe 50->66         started        file17 signatures18 process19 dnsIp20 114 5.42.92.211, 49804, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 54->114 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->152 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->154 116 77.91.124.55, 19071, 49809 ECOTEL-ASRU Russian Federation 58->116 156 Tries to harvest and steal browser information (history, passwords, etc) 58->156 74 conhost.exe 60->74         started        76 cmd.exe 60->76         started        78 cacls.exe 60->78         started        82 4 other processes 60->82 80 conhost.exe 62->80         started        signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-30 01:16:05 UTC
File Type:
PE (Exe)
Extracted files:
151
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7khpwdaaoxlnrdzo6ilko2hpppg3g2rwo5nnuil5d6feqkctepq._file
Verdict:
malicious
Similar samples:
0f425b2cf3128eff1c522aaaabb0375adca5468aa4a98c3f37e0f055c1b45a22
Amadey
12fb005f8400051a07486a0b93e1429ec4db0ac2575d9eb1630e7d804813d60f
Amadey
1c3715533760b25561a481466c9d5187f70c4767b4c78d3b2b80f03e2e7d5055
Amadey
216e2221b99ee5579841f6a626348a6a8db8df0e2eb844b2618dc0164ace6489
Amadey
26c8b7f5d0f9a0138e5ac0cd5b9d7c4ab9e9e16fbaa221117d7bf6464e85eb69
Amadey
2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c
Amadey
40e6462c4b45d7f081b00cdcd7c8106ee6fa786e4c06bcbaae181b19e20a994b
Amadey
92d7a53e967455a68bf6cb6ddf8a8c13cdb6f82237b18b801ec006c1a1d22080
Amadey
ba72dd23776813767bf4ba2a34da6a8093cc84e9e72dbfc6bcdaa0e10448549f
Amadey
d69958c38bd04cd3b71d6e43032fb8466ffc5f7cf90d524120bfd23f9337cc8e
Amadey
+ 809 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:gruha infostealer persistence trojan
Link:
https://tria.ge/reports/230930-bmsstsff8v/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
RedLine
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.124.1/theme/index.php
http://77.91.68.78/help/index.php
Unpacked files
SH256 hash:
9729674089b502a1c433766749036cbd9c75eb5735424ddbb7c8d0de1bb99e9a
MD5 hash:
d0ad89c0b07e87eb323ad4e736c7463a
SHA1 hash:
edf8b973aedef75db709f18d196fd85b2b0390d0
Link:
https://www.unpac.me/results/a55689f8-a004-463b-9dd6-9cac97110728/
SH256 hash:
d850bf009b23d799435210fa152c56d3ce2a14df76961806579edeb18c0c5ab9
MD5 hash:
efa05a32dd58efd75e1ce661588e9d92
SHA1 hash:
f37e83a552ac597e15a1acd96378a4175eef1757
Link:
https://www.unpac.me/results/a55689f8-a004-463b-9dd6-9cac97110728/
SH256 hash:
7d59dd7d40d0f8cb084e6e5d61237ed217fa49ed36ac57d3185a65a2bccf00d8
MD5 hash:
21de2018ae2eabf9ec4598ab941535c8
SHA1 hash:
0b1b7ee1e9f8cec598e725faaea9bf6273ea5375
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/a55689f8-a004-463b-9dd6-9cac97110728/
Parent samples :
194835eb02355f19409d0497e6f5d75d204d9ccf4c5564654c12fd511aa920b4
6674451579a7f19b0bd1bfb2e976eb8e66a3f5dda7c6abc3e097bd5674443eb5
5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f
SH256 hash:
8fdf839e7d0ab84ef954eb53f3c9301b48df51e8ceb83a19bed265a90ef3dea5
MD5 hash:
d66c583f4a353b9e329c0c9dc35b71ec
SHA1 hash:
4858822cf5e46cd0404d55581faaf408aa06205a
Link:
https://www.unpac.me/results/a55689f8-a004-463b-9dd6-9cac97110728/
SH256 hash:
5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f
MD5 hash:
a87a642531553dc63467b188e7630b87
SHA1 hash:
f418fe0bbab6fb438ab6161ff48bf8a1b6e658d0
Link:
https://www.unpac.me/results/a55689f8-a004-463b-9dd6-9cac97110728/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fd477d86003/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5fd477d86003aeb6c4797790b53b477bde6d9b51b3bad6d10be8fc524142991f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/452128/

Comments