MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26
SHA3-384 hash: 021ee7fe01735b7db1e391faea4a6de81005fffd3d47d978d978e9021f5a86bb2e987a94c4db92a23f964bf8e33f0d39
SHA1 hash: 9c91cbba1071420b73caad3a2abcfc47360f4f0e
MD5 hash: d2b1682105389a925387227c660abb87
humanhash: quebec-hawaii-fillet-network
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'026'432 bytes
First seen:2024-12-15 23:58:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:l+OrfMejZNr/UFhowlQSEzzRQA1BehabYJOnbj:lrfdj8FhowlQSuziAOhaaOn3
Threatray 1 similar samples on MalwareBazaar
TLSH T1EAE55C527D0571CBD08E17B8952BCE8AA95D07B9471048D7EC68F87ABEE3CC235B9C24
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
577
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-15 23:58:59 UTC
Tags:
amadey botnet stealer loader arch-exec telegram lumma stealc cryptbot themida
Link:
https://app.any.run/tasks/c6600085-03f8-4761-bb2d-544678035dce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.12062.28271.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675f6fbf8fb73f13afcb8340
Tags:
vmdetect autorun autoit lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/675f6d45ab0a589336671ed1/reports/8e8f43b8-a2f1-4648-8b1b-d554b511fbc9/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/afa30a9f-991a-40f7-98ba-a996f5bcd6d7
Result
Threat name:
Amadey, LummaC Stealer, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1575550
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Leaks process information
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Drops script at startup location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575550 Sample: file.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 130 woo097878781.win 2->130 132 fivegr5sb.top 2->132 134 5 other IPs or domains 2->134 158 Multi AV Scanner detection for domain / URL 2->158 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 24 other signatures 2->164 11 skotes.exe 4 59 2->11         started        16 file.exe 5 2->16         started        18 wscript.exe 2->18         started        20 Intel_PTT_EK_Recertification.exe 2->20         started        signatures3 process4 dnsIp5 148 185.215.113.43, 49758, 49764, 49782 WHOLESALECONNECTIONSNL Portugal 11->148 150 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->150 152 31.41.244.11, 49770, 49783, 49800 AEROEXPRESS-ASRU Russian Federation 11->152 114 C:\Users\user\AppData\...\8fabf18f8e.exe, PE32 11->114 dropped 116 C:\Users\user\AppData\...\f5e7dd5dbb.exe, PE32 11->116 dropped 118 C:\Users\user\AppData\...\d0e065d272.exe, PE32 11->118 dropped 124 23 other malicious files 11->124 dropped 228 Creates multiple autostart registry keys 11->228 230 Hides threads from debuggers 11->230 232 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->232 234 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 11->234 22 sUSFJjY.exe 14 5 11->22         started        27 cad620f7d1.exe 11->27         started        29 ae91ff4264.exe 11->29         started        35 2 other processes 11->35 120 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->120 dropped 122 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->122 dropped 236 Detected unpacking (changes PE section rights) 16->236 238 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->238 240 Tries to evade debugger and weak emulator (self modifying code) 16->240 252 2 other signatures 16->252 31 skotes.exe 16->31         started        242 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->242 244 Suspicious execution chain found 18->244 33 IsStopped.exe 18->33         started        246 Multi AV Scanner detection for dropped file 20->246 248 Injects code into the Windows Explorer (explorer.exe) 20->248 250 Modifies the context of a thread in another process (thread injection) 20->250 file6 signatures7 process8 dnsIp9 136 woo097878781.win 154.216.20.243, 443, 49776, 49828 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 22->136 106 C:\Users\user\AppData\Roaming\IsStopped.exe, PE32+ 22->106 dropped 108 C:\Users\user\AppData\...\IsStopped.vbs, ASCII 22->108 dropped 202 Antivirus detection for dropped file 22->202 204 Machine Learning detection for dropped file 22->204 206 Drops VBS files to the startup folder 22->206 220 2 other signatures 22->220 37 RegAsm.exe 22->37         started        41 powershell.exe 23 22->41         started        208 Contains functionality to inject code into remote processes 27->208 210 Injects a PE file into a foreign processes 27->210 43 cad620f7d1.exe 27->43         started        46 conhost.exe 27->46         started        110 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 29->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 29->112 dropped 48 cmd.exe 29->48         started        212 Multi AV Scanner detection for dropped file 31->212 214 Detected unpacking (changes PE section rights) 31->214 216 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 31->216 222 3 other signatures 31->222 224 3 other signatures 33->224 50 RegAsm.exe 33->50         started        138 fivegr5sb.top 141.8.192.141 SPRINTHOSTRU Russian Federation 35->138 140 home.fivegr5sb.top 35->140 142 httpbin.org 34.226.108.155 AMAZON-AESUS United States 35->142 218 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->218 226 2 other signatures 35->226 52 conhost.exe 35->52         started        file10 signatures11 process12 dnsIp13 104 C:\Users\user\AppData\...\lkpwsyczzfuj.sys, PE32+ 37->104 dropped 166 Injects code into the Windows Explorer (explorer.exe) 37->166 168 Uses powercfg.exe to modify the power settings 37->168 170 Modifies the context of a thread in another process (thread injection) 37->170 172 Sample is not signed and drops a device driver 37->172 54 explorer.exe 37->54         started        58 powercfg.exe 37->58         started        60 powercfg.exe 37->60         started        67 2 other processes 37->67 174 Uses ping.exe to check the status of other devices and networks 41->174 176 Loading BitLocker PowerShell Module 41->176 69 2 other processes 41->69 154 drive-connect.cyou 104.21.79.7, 443, 49854 CLOUDFLARENETUS United States 43->154 178 Query firmware table information (likely to detect VMs) 43->178 180 Found many strings related to Crypto-Wallets (likely being stolen) 43->180 182 Tries to harvest and steal ftp login credentials 43->182 188 2 other signatures 43->188 184 Uses cmd line tools excessively to alter registry or file data 48->184 62 in.exe 48->62         started        65 7z.exe 48->65         started        71 10 other processes 48->71 186 Modifies power options to not sleep / hibernate 50->186 73 2 other processes 50->73 file14 signatures15 process16 dnsIp17 144 185.157.162.216, 4444, 49841 OBE-EUROPEObenetworkEuropeSE Sweden 54->144 146 37.203.243.102, 3333, 49827 DAPLDATAPLANETLtdRU Russian Federation 54->146 190 System process connects to network (likely due to code injection or exploit) 54->190 192 Query firmware table information (likely to detect VMs) 54->192 194 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->194 75 conhost.exe 58->75         started        77 conhost.exe 60->77         started        126 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 62->126 dropped 196 Suspicious powershell command line found 62->196 198 Uses cmd line tools excessively to alter registry or file data 62->198 200 Uses schtasks.exe or at.exe to add and modify task schedules 62->200 79 powershell.exe 62->79         started        81 attrib.exe 62->81         started        83 attrib.exe 62->83         started        85 schtasks.exe 62->85         started        128 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 65->128 dropped 87 conhost.exe 67->87         started        89 conhost.exe 67->89         started        91 conhost.exe 73->91         started        file18 signatures19 process20 process21 93 PING.EXE 79->93         started        96 conhost.exe 79->96         started        98 conhost.exe 81->98         started        100 conhost.exe 83->100         started        102 conhost.exe 85->102         started        dnsIp22 156 127.0.0.1 unknown unknown 93->156
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-12-15 23:59:03 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxryu7oxqyu3zgubbig2ycqy7f335axkzvw6lieqybafyv66pita._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26
Amadey
error
Amadey
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:lumma family:stealc family:xmrig botnet:9c9aa5 botnet:stok credential_access discovery evasion miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/241215-31pf4stkh1/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Downloads MZ/PE file
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
CryptBot
Cryptbot family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Xmrig family
xmrig
Malware Config
C2 Extraction:
http://185.215.113.43
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
https://shineugler.biz/api
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/918952a2-7eda-44f0-bbfe-cac61aca1849
Unpacked files
SH256 hash:
f97f7402b0c5d7642e7f8c977f8b3237538df80c51d3ee187f99e63b40286b7d
MD5 hash:
2a293c39b6b7d89ca036a2ada53284b7
SHA1 hash:
4741d915f93ac195042f19c94ddaeca1014a2fa2
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/7e37d445-66f3-464d-83be-0e84dcc6298d/
SH256 hash:
65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26
MD5 hash:
d2b1682105389a925387227c660abb87
SHA1 hash:
9c91cbba1071420b73caad3a2abcfc47360f4f0e
Link:
https://www.unpac.me/results/7e37d445-66f3-464d-83be-0e84dcc6298d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments