MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9
SHA3-384 hash: e83e93808fb0e8641fbe17d2f9c11bfd55fc5f7291af53592a59b0b98ae3a96189b2d2366aa8c7ca01f29d3ceac0a3eb
SHA1 hash: 39376c343e2ca2872829f5077d32b5b4a350ca30
MD5 hash: 65dee9457f60ce133422fcd61bba3a21
humanhash: mountain-social-hydrogen-fourteen
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'905'152 bytes
First seen:2024-08-14 04:05:08 UTC
Last seen:2024-08-14 04:27:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:yjpVtrIrOq1HgmxAe91xIH4XYBk6L2ssPTdZZzIhvrQ:+jPCTA0XB6K5KvrQ
TLSH T13C9533A4CAFDFB9EF0C8DD7AD9EBAA9CB73580611F6000F84235509970A7F5E7262504
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
511
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-14 04:05:59 UTC
Tags:
amadey botnet stealer loader stealc metastealer redline themida cryptbot lumma
Link:
https://app.any.run/tasks/dfb05e79-2327-4890-bfbd-2ca9d6e6961a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.27952.29873.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66bc2d2caa5b40be0aa02e97
Tags:
Discovery Execution Generic Infostealer Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66bc2d2b32f6d05ff3cc82a7/reports/7466bf02-f1db-4f84-b058-ada2b23eaed8/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/202ffb44-6b8c-48bc-95af-ab1062daae54
Result
Threat name:
Amadey, Cryptbot, PureLog Stealer, RedLi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1492636
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Forfiles.EXE Child Process Masquerading
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1492636 Sample: file.exe Startdate: 14/08/2024 Architecture: WINDOWS Score: 100 138 jSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDRe 2->138 140 fivexc5vt.top 2->140 142 2 other IPs or domains 2->142 158 Multi AV Scanner detection for domain / URL 2->158 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 31 other signatures 2->164 11 axplong.exe 45 2->11         started        16 file.exe 5 2->16         started        18 axplong.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 154 185.215.113.16, 49712, 49713, 49715 WHOLESALECONNECTIONSNL Portugal 11->154 156 185.196.11.123, 49716, 80 SIMPLECARRIERCH Switzerland 11->156 120 C:\Users\user\AppData\Local\...\runtime.exe, PE32 11->120 dropped 122 C:\Users\user\AppData\...\PctOccurred.exe, PE32 11->122 dropped 124 C:\Users\user\AppData\Local\Temp\...\DOC.exe, PE32 11->124 dropped 130 18 other malicious files 11->130 dropped 224 Hides threads from debuggers 11->224 226 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->226 228 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 11->228 22 rorukal.exe 11->22         started        26 stealc_default.exe 11->26         started        29 crypteda.exe 1 11->29         started        35 6 other processes 11->35 126 C:\Users\user\AppData\Local\...\axplong.exe, PE32 16->126 dropped 128 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 16->128 dropped 230 Detected unpacking (changes PE section rights) 16->230 232 Tries to evade debugger and weak emulator (self modifying code) 16->232 234 Tries to detect virtualization through RDTSC time measurements 16->234 31 axplong.exe 16->31         started        236 Multi AV Scanner detection for dropped file 18->236 238 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->238 240 Potentially malicious time measurement code found 18->240 242 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->242 33 MindLynx.pif 20->33         started        file6 signatures7 process8 dnsIp9 100 C:\ProgramData\Microsoft\Windows\...\cmd.exe, PE32 22->100 dropped 102 C:\ProgramData\Microsoft\...\forfiles.exe, PE32+ 22->102 dropped 178 Multi AV Scanner detection for dropped file 22->178 180 Detected unpacking (changes PE section rights) 22->180 182 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->182 37 forfiles.exe 22->37         started        146 185.215.113.17, 49724, 80 WHOLESALECONNECTIONSNL Portugal 26->146 104 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->104 dropped 106 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->106 dropped 108 C:\Users\user\AppData\...\mozglue[1].dll, PE32 26->108 dropped 112 9 other files (5 malicious) 26->112 dropped 184 Tries to steal Mail credentials (via file / registry access) 26->184 186 Found many strings related to Crypto-Wallets (likely being stolen) 26->186 188 Tries to harvest and steal ftp login credentials 26->188 196 3 other signatures 26->196 198 3 other signatures 29->198 39 RegAsm.exe 29->39         started        43 conhost.exe 29->43         started        200 3 other signatures 31->200 148 185.215.113.67, 21405, 49722, 49730 WHOLESALECONNECTIONSNL Portugal 35->148 150 45.66.231.214, 49732, 9932 CMCSUS Germany 35->150 152 fivexc5vt.top 172.67.161.137 CLOUDFLARENETUS United States 35->152 110 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 35->110 dropped 190 Antivirus detection for dropped file 35->190 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->192 194 Machine Learning detection for dropped file 35->194 202 2 other signatures 35->202 45 cmd.exe 35->45         started        47 Hkbsse.exe 35->47         started        49 RegAsm.exe 2 35->49         started        52 2 other processes 35->52 file10 signatures11 process12 dnsIp13 54 cmd.exe 37->54         started        57 conhost.exe 37->57         started        114 C:\Users\user\AppData\...\LbjIdugiIw.exe, PE32 39->114 dropped 116 C:\Users\user\AppData\...\7YLGfG4DzX.exe, PE32 39->116 dropped 210 Found many strings related to Crypto-Wallets (likely being stolen) 39->210 59 7YLGfG4DzX.exe 39->59         started        61 LbjIdugiIw.exe 39->61         started        118 C:\Users\user\AppData\Local\...\Beijing.pif, PE32 45->118 dropped 212 Drops PE files with a suspicious file extension 45->212 214 Uses schtasks.exe or at.exe to add and modify task schedules 45->214 63 Beijing.pif 45->63         started        66 conhost.exe 45->66         started        68 tasklist.exe 45->68         started        72 7 other processes 45->72 216 Multi AV Scanner detection for dropped file 47->216 218 Machine Learning detection for dropped file 47->218 70 Conhost.exe 47->70         started        136 20.52.165.210, 39030, 49714, 49718 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 49->136 file14 signatures15 process16 file17 166 Multi AV Scanner detection for dropped file 54->166 168 Machine Learning detection for dropped file 54->168 170 Writes to foreign memory regions 54->170 176 2 other signatures 54->176 74 AppLaunch.exe 54->74         started        172 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 59->172 77 conhost.exe 59->77         started        79 conhost.exe 61->79         started        132 C:\Users\user\AppData\Local\...\MindLynx.pif, PE32 63->132 dropped 134 C:\Users\user\AppData\Local\...\MindLynx.js, ASCII 63->134 dropped 174 Drops PE files with a suspicious file extension 63->174 81 cmd.exe 63->81         started        84 cmd.exe 63->84         started        signatures18 process19 file20 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 74->220 222 Injects a PE file into a foreign processes 74->222 86 AppLaunch.exe 74->86         started        90 conhost.exe 74->90         started        98 C:\Users\user\AppData\...\MindLynx.url, MS 81->98 dropped 92 conhost.exe 81->92         started        94 conhost.exe 84->94         started        96 schtasks.exe 84->96         started        signatures21 process22 dnsIp23 144 127.0.0.1 unknown unknown 86->144 204 Creates an undocumented autostart registry key 86->204 206 Creates multiple autostart registry keys 86->206 208 Creates an autostart registry key pointing to binary in C:\Windows 86->208 signatures24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-08-14 04:06:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxs2urhv2xlq2sxhgncqqnxq3hi57u5qrd6re2wzmji6r6mrt24q._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:stealc botnet:a51500 botnet:buy tg @fatherofcarders botnet:default botnet:fed3aa credential_access discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/240814-en3wzawfmb/
Behaviour
Checks processor information in registry
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Looks for VMWare Tools registry key
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Lumma Stealer, LummaC
RedLine
RedLine payload
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.16
185.215.113.67:21405
http://185.215.113.17
45.66.231.214:9932
http://api.garageserviceoperation.com
https://complaintsipzzx.shop/api
https://writerospzm.shop/api
https://deallerospfosu.shop/api
https://bassizcellskz.shop/api
https://mennyudosirso.shop/api
https://languagedscie.shop/api
https://quialitsuzoxm.shop/api
https://tenntysjuxmz.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/864fd300-d315-4e8e-995d-2cec6a2569d3
Unpacked files
SH256 hash:
3ab56188fb21187c734a337b1e89502b3b3486ccc600ca3d6f4cb9327515dc0c
MD5 hash:
bf68091073b843ad8ea639d90b92a4e6
SHA1 hash:
9662eb51591c1788d6afba1ee917f4b940880dee
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/cd69f458-9dc4-4fda-8ac6-7e8b24813b78/
SH256 hash:
65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9
MD5 hash:
65dee9457f60ce133422fcd61bba3a21
SHA1 hash:
39376c343e2ca2872829f5077d32b5b4a350ca30
Link:
https://www.unpac.me/results/cd69f458-9dc4-4fda-8ac6-7e8b24813b78/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65e5aa44f5d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 65e5aa44f5d5d70d4ae733450836f0d9d1dfd3b088fd126ad96251e8f9919eb9

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067427/
  
URLhaus
https://urlhaus.abuse.ch/url/3067442/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments