MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
SHA3-384 hash: 9834070dd1cef3ada3ab80b5f767ff9b987a0613768178aef771c799d0f9ed83436dc576c1685f0f447a5680cd77540a
SHA1 hash: 55e3d4d3536eb1620d635a6350db4709dcff0ce2
MD5 hash: 1f3880629f4830ad6b109bec208f274a
humanhash: march-moon-six-don
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'253'760 bytes
First seen:2024-12-10 06:07:59 UTC
Last seen:2024-12-10 06:08:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 98304:pPR9FCxdTCuiZARs+txszDbFuMtzKBbSN:pPR9HksgxcHFbm5
TLSH T105E55B916409B6DFC88B13B8D127DD49B95D0BBD471404CBA82C64BBFEE3CD216BAC58
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-10 06:32:29 UTC
Tags:
amadey botnet stealer loader lumma stealc gcleaner themida
Link:
https://app.any.run/tasks/f55e323b-1d36-4f5c-acea-7d2d663ef271

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.20270.26820.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6757dac64a662cb52657447d
Tags:
vmdetect autorun autoit cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6757dac4b237637daef9ee8f/reports/be3d3059-aa34-42bc-857d-c5e6fccbca12/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/96086b46-f49f-4e8e-94b0-1fc1f0c8df35
Result
Threat name:
Amadey, Credential Flusher, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1572143
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Excessive usage of taskkill to terminate processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572143 Sample: file.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 97 youtube.com 2->97 99 www.google.com 2->99 101 9 other IPs or domains 2->101 129 Suricata IDS alerts for network traffic 2->129 131 Found malware configuration 2->131 133 Antivirus detection for URL or domain 2->133 135 16 other signatures 2->135 9 skotes.exe 4 29 2->9         started        14 file.exe 5 2->14         started        16 ce4fbac2d0.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 115 185.215.113.43, 49753, 49759, 49782 WHOLESALECONNECTIONSNL Portugal 9->115 117 185.215.113.16, 49765, 49789, 49810 WHOLESALECONNECTIONSNL Portugal 9->117 119 31.41.244.11, 49878, 80 AEROEXPRESS-ASRU Russian Federation 9->119 85 C:\Users\user\AppData\...\d4273a8f8c.exe, PE32 9->85 dropped 87 C:\Users\user\AppData\...\4590dc9a6c.exe, PE32 9->87 dropped 89 C:\Users\user\AppData\...\fa71ceef65.exe, PE32 9->89 dropped 95 7 other malicious files 9->95 dropped 163 Creates multiple autostart registry keys 9->163 165 Hides threads from debuggers 9->165 167 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->167 20 e4b0ed98fb.exe 36 9->20         started        25 4590dc9a6c.exe 9->25         started        27 ce4fbac2d0.exe 9->27         started        37 2 other processes 9->37 91 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->91 dropped 93 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->93 dropped 169 Detected unpacking (changes PE section rights) 14->169 171 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->171 173 Tries to evade debugger and weak emulator (self modifying code) 14->173 187 2 other signatures 14->187 29 skotes.exe 14->29         started        175 Query firmware table information (likely to detect VMs) 16->175 177 Tries to harvest and steal ftp login credentials 16->177 179 Tries to harvest and steal browser information (history, passwords, etc) 16->179 181 Excessive usage of taskkill to terminate processes 18->181 183 Tries to steal Crypto Currency Wallets 18->183 185 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->185 31 firefox.exe 18->31         started        33 chrome.exe 18->33         started        35 taskkill.exe 18->35         started        39 9 other processes 18->39 file6 signatures7 process8 dnsIp9 103 185.215.113.206, 49807, 49871, 80 WHOLESALECONNECTIONSNL Portugal 20->103 77 C:\Users\user\Documents\IDAKJKEHDB.exe, PE32 20->77 dropped 79 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->79 dropped 81 C:\Users\user\AppData\Local\...\random[2].exe, PE32 20->81 dropped 83 11 other files (7 malicious) 20->83 dropped 137 Antivirus detection for dropped file 20->137 139 Multi AV Scanner detection for dropped file 20->139 141 Detected unpacking (changes PE section rights) 20->141 155 7 other signatures 20->155 41 cmd.exe 20->41         started        43 chrome.exe 20->43         started        143 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->143 145 Machine Learning detection for dropped file 25->145 157 4 other signatures 25->157 105 atten-supporse.biz 104.21.16.1, 443, 49781, 49788 CLOUDFLARENETUS United States 27->105 147 Query firmware table information (likely to detect VMs) 27->147 149 Found many strings related to Crypto-Wallets (likely being stolen) 27->149 151 Tries to evade debugger and weak emulator (self modifying code) 27->151 159 3 other signatures 29->159 107 youtube.com 142.250.181.142, 443, 49891, 49893 GOOGLEUS United States 31->107 109 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49895, 80 GOOGLEUS United States 31->109 113 4 other IPs or domains 31->113 54 2 other processes 31->54 46 chrome.exe 33->46         started        48 conhost.exe 35->48         started        111 80.82.65.70 INT-NETWORKSC Netherlands 37->111 153 Binary is likely a compiled AutoIt script file 37->153 161 2 other signatures 37->161 50 taskkill.exe 37->50         started        52 taskkill.exe 37->52         started        56 4 other processes 37->56 58 9 other processes 39->58 file10 signatures11 process12 dnsIp13 60 IDAKJKEHDB.exe 41->60         started        63 conhost.exe 41->63         started        121 239.255.255.250 unknown Reserved 43->121 65 chrome.exe 43->65         started        123 www.google.com 142.250.181.68 GOOGLEUS United States 46->123 125 shed.dual-low.s-part-0035.t-0009.t-msedge.net 46->125 127 4 other IPs or domains 46->127 67 conhost.exe 50->67         started        69 conhost.exe 52->69         started        71 conhost.exe 56->71         started        73 conhost.exe 56->73         started        75 conhost.exe 56->75         started        process14 signatures15 189 Multi AV Scanner detection for dropped file 60->189 191 Detected unpacking (changes PE section rights) 60->191 193 Tries to evade debugger and weak emulator (self modifying code) 60->193 195 3 other signatures 60->195
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-12-10 06:09:12 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mncxjpibb2aohvxfb3zeqpc4os447fuf4dudjekzug7imk4nomqq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:lumma family:stealc botnet:9c9aa5 botnet:stok discovery evasion loader persistence stealer trojan
Link:
https://tria.ge/reports/241210-gvxpmswkct/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.206
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a4d916bc-2bca-4ede-b53c-76de90f068c1
Unpacked files
SH256 hash:
a3e076b9d81afc638bf35d342e14a5c5d19a3024f1608d5aa4cc0ac4a95d88d6
MD5 hash:
225b98c41b07934f10e865309b66b55b
SHA1 hash:
e9c28d9d8c9a95a55ac27b00a76e35386337f613
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/8cf98139-5c0b-447f-ac36-3aef7294d9cf/
SH256 hash:
634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
MD5 hash:
1f3880629f4830ad6b109bec208f274a
SHA1 hash:
55e3d4d3536eb1620d635a6350db4709dcff0ce2
Link:
https://www.unpac.me/results/8cf98139-5c0b-447f-ac36-3aef7294d9cf/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/634574bd010e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments