MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974
SHA3-384 hash: fee2d48352eee4c59a2b2c335133be586f0fc35733e5a80c385aab5a184083175763bec62688e5c37da56dd3d8227e63
SHA1 hash: 204471dfbe8595643042f780f6a41e11af6933d6
MD5 hash: a599e020f718cf8c8f2c4cbc4dd53a20
humanhash: lithium-pizza-equal-gee
File name:a599e020f718cf8c8f2c4cbc4dd53a20
Download: download sample
Signature Amadey
Create hunting rule
File size:3'034'624 bytes
First seen:2024-04-18 20:51:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:O7yhKtnwpmRei5FHEdkjqM6tUi2jIILqdYhfdIAcax:O7yhKqEeizHEdkuM6tUhTOU6ANx
TLSH T1FDE54A92AE0472CFD49E2B74943FCDA2595D07B9472108D3AC6964BABDF3CC121B6D38
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974.exe
Verdict:
Malicious activity
Analysis date:
2024-04-18 20:55:13 UTC
Tags:
amadey botnet stealer loader risepro
Link:
https://app.any.run/tasks/b4525b33-c820-42ee-8cbc-48e4235d3899

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Reading critical registry keys
Launching the process to change network settings
Connection attempt to an infection source
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/662187f751edb67852f6abc2/reports/b4db5ab6-83d9-4415-b6c6-e5e6ca491e4f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/150d1763-f4e8-4e82-aeaf-1e4ad86741bf
Result
Threat name:
Amadey, PureLog Stealer, RedLine, RisePr
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1428423
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428423 Sample: tA6etkt3gb.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 170 Found malware configuration 2->170 172 Malicious sample detected (through community Yara rule) 2->172 174 Antivirus detection for URL or domain 2->174 176 21 other signatures 2->176 10 tA6etkt3gb.exe 5 2->10         started        14 chrosha.exe 2->14         started        17 MPGPH131.exe 2->17         started        19 9 other processes 2->19 process3 dnsIp4 112 C:\Users\user\AppData\Local\...\explorha.exe, PE32 10->112 dropped 218 Detected unpacking (changes PE section rights) 10->218 220 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->220 222 Tries to evade debugger and weak emulator (self modifying code) 10->222 240 2 other signatures 10->240 21 explorha.exe 2 32 10->21         started        158 185.172.128.19 NADYMSS-ASRU Russian Federation 14->158 160 147.45.47.102 FREE-NET-ASFREEnetEU Russian Federation 14->160 162 148.135.72.74 ERI-ASUS Sweden 14->162 114 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 14->114 dropped 116 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 14->116 dropped 118 C:\Users\user\AppData\Local\...\file300un.exe, PE32+ 14->118 dropped 128 20 other malicious files 14->128 dropped 224 Hides threads from debuggers 14->224 242 2 other signatures 14->242 26 swiiiii.exe 14->26         started        28 rundll32.exe 14->28         started        120 C:\Users\user\...\ai7r4g0iAr_FU6jbGEv2feP.zip, Zip 17->120 dropped 226 Tries to steal Mail credentials (via file / registry access) 17->226 228 Machine Learning detection for dropped file 17->228 230 Found many strings related to Crypto-Wallets (likely being stolen) 17->230 30 WerFault.exe 17->30         started        164 169.150.236.99 SPIRITTEL-ASUS United States 19->164 166 23.44.104.130 AKAMAI-ASUS United States 19->166 168 127.0.0.1 unknown unknown 19->168 122 SystemMechanic_548...38868BD1.exe (copy), PE32 19->122 dropped 124 C:\Users\user\AppData\Local\...\BIT826D.tmp, PE32 19->124 dropped 126 C:\Users\user\...\2kpfKwlB_SMWQoOpeV00Wxp.zip, Zip 19->126 dropped 232 Benign windows process drops PE files 19->232 234 Binary is likely a compiled AutoIt script file 19->234 236 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->236 238 Tries to harvest and steal browser information (history, passwords, etc) 19->238 32 chrome.exe 19->32         started        34 chrome.exe 19->34         started        36 WerFault.exe 19->36         started        38 4 other processes 19->38 file5 signatures6 process7 dnsIp8 146 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 21->146 148 193.233.132.56 FREE-NET-ASFREEnetEU Russian Federation 21->148 96 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 21->96 dropped 98 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 21->98 dropped 100 C:\Users\user\AppData\...\a14d081f84.exe, PE32 21->100 dropped 102 8 other malicious files 21->102 dropped 178 Multi AV Scanner detection for dropped file 21->178 180 Detected unpacking (changes PE section rights) 21->180 182 Creates multiple autostart registry keys 21->182 190 4 other signatures 21->190 40 a14d081f84.exe 21->40         started        45 amert.exe 21->45         started        47 rundll32.exe 21->47         started        59 3 other processes 21->59 184 Writes to foreign memory regions 26->184 186 Allocates memory in foreign processes 26->186 188 Injects a PE file into a foreign processes 26->188 49 RegAsm.exe 26->49         started        51 conhost.exe 26->51         started        53 rundll32.exe 28->53         started        55 chrome.exe 32->55         started        57 chrome.exe 34->57         started        file9 signatures10 process11 dnsIp12 150 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->150 152 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 40->152 154 104.26.4.15 CLOUDFLARENETUS United States 40->154 104 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 40->104 dropped 106 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 40->106 dropped 108 C:\Users\user\...\qRHF0I3SLdbVi0YvmQyqu8Z.zip, Zip 40->108 dropped 192 Detected unpacking (changes PE section rights) 40->192 194 Tries to steal Mail credentials (via file / registry access) 40->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 40->196 212 3 other signatures 40->212 61 schtasks.exe 40->61         started        64 schtasks.exe 40->64         started        66 WerFault.exe 40->66         started        110 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 45->110 dropped 214 4 other signatures 45->214 69 rundll32.exe 21 47->69         started        156 172.67.181.34 CLOUDFLARENETUS United States 49->156 198 Query firmware table information (likely to detect VMs) 49->198 200 Installs new ROOT certificates 49->200 216 2 other signatures 49->216 202 System process connects to network (likely due to code injection or exploit) 53->202 204 Tries to steal Instant Messenger accounts or passwords 53->204 206 Tries to harvest and steal ftp login credentials 53->206 208 Binary is likely a compiled AutoIt script file 59->208 210 Found API chain indicative of sandbox detection 59->210 71 chrome.exe 59->71         started        file13 signatures14 process15 dnsIp16 244 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->244 246 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->246 73 conhost.exe 61->73         started        75 conhost.exe 64->75         started        132 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 66->132 248 Tries to steal Instant Messenger accounts or passwords 69->248 250 Uses netsh to modify the Windows network and firewall settings 69->250 252 Tries to harvest and steal WLAN passwords 69->252 77 powershell.exe 26 69->77         started        81 netsh.exe 2 69->81         started        134 192.168.2.6 unknown unknown 71->134 136 239.255.255.250 unknown Reserved 71->136 83 chrome.exe 71->83         started        86 chrome.exe 71->86         started        88 chrome.exe 71->88         started        90 2 other processes 71->90 signatures17 process18 dnsIp19 130 C:\Users\user\...\246122658369_Desktop.zip, Zip 77->130 dropped 254 Found many strings related to Crypto-Wallets (likely being stolen) 77->254 256 Loading BitLocker PowerShell Module 77->256 92 conhost.exe 77->92         started        94 conhost.exe 81->94         started        138 142.250.105.105 GOOGLEUS United States 83->138 140 142.250.105.94 GOOGLEUS United States 83->140 144 9 other IPs or domains 83->144 142 142.251.15.100 GOOGLEUS United States 86->142 file20 signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2024-04-18 20:52:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjhu3cbmm6mudlqpx3ouovknfxmedhb5lzsjfubawachdhawjf2a._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/240418-znqa4aee88/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://193.233.132.56
http://193.233.132.167
Unpacked files
SH256 hash:
4e733ad19cfd7ae4e603a1a552c9f5b1720a0b5f34fad9c0f7cad33e789dbc0c
MD5 hash:
a07268eb55a849103313c5b2180dc93c
SHA1 hash:
7c357f450ccc41a593c9ffa2352f10c01595aad3
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/2b8214f6-65f2-4a85-abe5-5e0d6b8538f9/
SH256 hash:
624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974
MD5 hash:
a599e020f718cf8c8f2c4cbc4dd53a20
SHA1 hash:
204471dfbe8595643042f780f6a41e11af6933d6
Link:
https://www.unpac.me/results/2b8214f6-65f2-4a85-abe5-5e0d6b8538f9/
Malware family:
RisePro
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/624f4d882c67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2817452/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-04-18 20:51:27 UTC

url : hxxp://147.45.47.102:57893/hera/amadka.exe