MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 663d4270b4fefb6cf4c941532b4aaa3957f43874a6ad73e9b87ccdeedaddb634. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 663d4270b4fefb6cf4c941532b4aaa3957f43874a6ad73e9b87ccdeedaddb634
SHA3-384 hash: 9ddbaa11a5a20c26a605ec8f5a804254e97f1b051bfb919a870b82993ab49ed064bb679e07be87321cec71220481ec7f
SHA1 hash: 1e8e1eb56e282b5e85c0e7f5ba25a524965706f1
MD5 hash: 52eeafe4196446eccbada6dd4c750aa2
humanhash: purple-texas-low-illinois
File name:1e8e1eb56e282b5e85c0e7f5ba25a524965706f1.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'026'959 bytes
First seen:2021-09-30 21:50:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d221b1dc8c3a08622f6512e7876527c8 (3 x ZhongStealer, 2 x ValleyRAT, 1 x CoinMiner)
ssdeep 24576:CQ9o65HYl7Du97vZo0yIsoTcc1Uiwz7H00svO7WOpRBs2i:CQNip2vZomsoj23zL00svqWOri
Threatray 4 similar samples on MalwareBazaar
TLSH T18C252340725C5C7EF8650F7187B99362C3E2C933425A03DEBD7E67E216F5622AC8523A
File icon (PE):PE icon
dhash icon 608173e09ce0e0c2 (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://91.241.19.101/g7vcSfkbDs2/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.241.19.101/g7vcSfkbDs2/index.php https://threatfox.abuse.ch/ioc/229070/

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e8e1eb56e282b5e85c0e7f5ba25a524965706f1.exe
Verdict:
No threats detected
Analysis date:
2021-09-30 21:54:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/208acea9-e224-4d4d-9e54-4211692f7cb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193798/
Detection(s):
SecuriteInfo.com.TR.Dldr.Adload.DM.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6e9c913-b35c-402c-99f4-9a8fe9708ee2
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/862338
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494766 Sample: Ac372JNTO6.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 54 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 6 other signatures 2->79 10 Ac372JNTO6.exe 9 22 2->10         started        14 sqconfig.exe 2->14         started        process3 dnsIp4 71 a.pomf.cat 69.39.225.3, 443, 49756 ASN-GIGENETUS United States 10->71 55 C:\Program Files (x86)\...\libupdate.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\Local\...\genteert.dll, PE32 10->57 dropped 59 C:\Users\user\AppData\Local\...\ssleay32.dll, PE32 10->59 dropped 61 4 other files (none is malicious) 10->61 dropped 16 libupdate.exe 2 10->16         started        19 cmd.exe 1 10->19         started        file5 process6 file7 41 C:\Users\user\AppData\Local\...\libupdate.tmp, PE32 16->41 dropped 22 libupdate.tmp 3 13 16->22         started        81 Uses ping.exe to sleep 19->81 83 Uses ping.exe to check the status of other devices and networks 19->83 25 PING.EXE 1 19->25         started        28 conhost.exe 19->28         started        30 PING.EXE 1 19->30         started        signatures8 process9 dnsIp10 53 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->53 dropped 32 libupdate.exe 2 22->32         started        69 127.0.0.1 unknown unknown 25->69 file11 process12 file13 43 C:\Users\user\AppData\Local\...\libupdate.tmp, PE32 32->43 dropped 35 libupdate.tmp 5 127 32->35         started        process14 file15 45 C:\Users\user\AppData\...\sqconfig.exe (copy), PE32 35->45 dropped 47 C:\Users\user\AppData\...\libplist.dll (copy), PE32 35->47 dropped 49 C:\Users\...\liborc-test-0.4-0.dll (copy), PE32 35->49 dropped 51 44 other files (none is malicious) 35->51 dropped 38 sqconfig.exe 16 35->38         started        process16 dnsIp17 63 91.241.19.101, 49761, 49762, 49763 REDBYTES-ASRU Russian Federation 38->63 65 192.168.2.3, 443, 49559, 49572 unknown unknown 38->65 67 192.168.2.1 unknown unknown 38->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/663d4270b4fefb6cf4c941532b4aaa3957f43874a6ad73e9b87ccdeedaddb634/
Threat name:
ByteCode-MSIL.Trojan.Omaneat
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 02:12:00 UTC
AV detection:
5 of 27 (18.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=my6ue4fu735wz5gjifjswsvkhfl7ioduu2wxh2nyptg65ww5wy2a._file
Verdict:
malicious
Similar samples:
384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c
Amadey
42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3
Amadey
4af4a3e76358c3a932e5fa2bd23af3f73880a0f24d0841c299bea7f35dec8283
Amadey
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9
Amadey
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210930-1qgmeaaegp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
f26f91165911e4d770c38410a6a4c84d3d21e623dbb4237cd44e5d4e67bd36e5
MD5 hash:
06cf2c8408980d5aa4ee629f445b3326
SHA1 hash:
57421174f398b4eb859cb5c2751ad81c863dc001
Link:
https://www.unpac.me/results/406a4536-932c-491f-8c8d-64edd0411d6b/
SH256 hash:
5dcc7893e78485b178ddbca45e2a1fcd97f54ad263767a036edc3e85430d8eb3
MD5 hash:
af8404538b5d375e2dfd6c6a17e00112
SHA1 hash:
5426e369cc2ec7f0150a29fa327196e9461282fb
Link:
https://www.unpac.me/results/406a4536-932c-491f-8c8d-64edd0411d6b/
SH256 hash:
005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa
MD5 hash:
d3f8c0334c19198a109e44d074dac5fd
SHA1 hash:
167716989a62b25e9fcf8e20d78e390a52e12077
Link:
https://www.unpac.me/results/406a4536-932c-491f-8c8d-64edd0411d6b/
SH256 hash:
10b255a2b68a4ee05893179fd91c074ad7c94d408a249968fc11c1433a41ee1d
MD5 hash:
47e518e3dcfd09346f8217cc58807858
SHA1 hash:
01be7d5316421c7506b4b3bff610cafe1902e099
Link:
https://www.unpac.me/results/406a4536-932c-491f-8c8d-64edd0411d6b/
SH256 hash:
8ba6f90b9f63988a48d1818332eb030d325f1cef9c70722a5283c1ca3c1cdfd4
MD5 hash:
63196eea43f51e638f8674e97c0fb9a5
SHA1 hash:
0a6bb114979cbadb3f5148358de5271eff4c436d
Link:
https://www.unpac.me/results/406a4536-932c-491f-8c8d-64edd0411d6b/
SH256 hash:
663d4270b4fefb6cf4c941532b4aaa3957f43874a6ad73e9b87ccdeedaddb634
MD5 hash:
52eeafe4196446eccbada6dd4c750aa2
SHA1 hash:
1e8e1eb56e282b5e85c0e7f5ba25a524965706f1
Link:
https://www.unpac.me/results/406a4536-932c-491f-8c8d-64edd0411d6b/
Malware family:
Mal/HTMLGen-A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/663d4270b4fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/663d4270b4fefb6cf4c941532b4aaa3957f43874a6ad73e9b87ccdeedaddb634

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193798/

Comments