MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
SHA3-384 hash: eed01ad8c993a5d7d2a9d599b72358742d64f6f88f133c0ecbf4b0b7ad4bc22091ed25651f26b3958a6729f213aa5b60
SHA1 hash: f09eb7d69bc7440d3d45e14267236a78ac789fcb
MD5 hash: 2239a58cc93fd94dc2806ce7f6af0a0b
humanhash: timing-jupiter-red-violet
File name:2239a58cc93fd94dc2806ce7f6af0a0b
Download: download sample
Signature Amadey
Create hunting rule
File size:7'732'440 bytes
First seen:2022-12-09 09:51:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a09599f99e4c72911ae32fe016ed9145 (1 x Amadey)
ssdeep 196608:U+rNR2F7EU+iE09OKsRk3PdM+i+8lHFL9AYS:/RWEU+1OP6+X+oYS
TLSH T1C57623B3A3B41145C1D0CD3D9537AFA473F18FA7CB422A36658DB9C618721F4E622A87
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d4f9d89e968ec870 (2 x SnakeKeylogger, 2 x Formbook, 1 x Amadey)
Reporter zbetcheckin
Tags:32 Amadey exe signed

Code Signing Certificate

Organisation:luminous company
Issuer:luminous company
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-08T00:47:11Z
Valid to:2023-12-08T01:07:11Z
Serial number: 4e9d6fd78307e6ad4c5583a2d9753ae2
Thumbprint Algorithm:SHA256
Thumbprint: 5e29c591440a557f3a7b7cab7ba338b2c19d4bc16cfc917bfaaac0804627e3ee
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344654/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.14799.18836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a window
Creating a file
Sending an HTTP POST request
Delayed reading of the file
Adding an access-denied ACE
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63930544485d8463dc40feb4/reports/1cae495f-62bf-4982-accb-240931d599b6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/70d8d22f-b179-4938-be83-83e6c32dbd7d
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131313
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764037 Sample: q3oUuJIXkc.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Amadeys stealer DLL 2->61 63 3 other signatures 2->63 8 q3oUuJIXkc.exe 4 2->8         started        12 gntuud.exe 2->12         started        process3 file4 37 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 8->37 dropped 39 C:\Users\user\...\gntuud.exe:Zone.Identifier, ASCII 8->39 dropped 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->73 75 Tries to evade analysis by execution special instruction (VM detection) 8->75 77 Tries to detect virtualization through RDTSC time measurements 8->77 14 gntuud.exe 17 8->14         started        79 Hides threads from debuggers 12->79 signatures5 process6 dnsIp7 47 85.209.135.109 CMCSUS Germany 14->47 41 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 14->43 dropped 49 Multi AV Scanner detection for dropped file 14->49 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->51 53 Creates an undocumented autostart registry key 14->53 55 4 other signatures 14->55 19 rundll32.exe 14->19         started        23 cmd.exe 1 14->23         started        25 schtasks.exe 1 14->25         started        file8 signatures9 process10 dnsIp11 45 192.168.2.4 unknown unknown 19->45 65 System process connects to network (likely due to code injection or exploit) 19->65 67 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->67 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->69 71 6 other signatures 19->71 27 conhost.exe 23->27         started        29 cmd.exe 1 23->29         started        31 cacls.exe 1 23->31         started        35 4 other processes 23->35 33 conhost.exe 25->33         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 09:36:02 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=navl2yvw4paorssx6b443fxs2ociouxk64acxx2xx62rfpjefaiq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:systembc collection evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/221209-lv3ccafg2w/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Stops running service(s)
UPX packed file
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Amadey
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Malware Config
C2 Extraction:
85.209.135.109/jg94cVd30f/index.php
89.22.236.225:4193
176.124.205.5:4193
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d1535911-0739-43d9-a0d7-848cce9d3c79
Unpacked files
SH256 hash:
2f3957412cdc271414d1315501e4113f2d95e82a960ecc460c7cc8fd77342f88
MD5 hash:
1e5e0e673eed5e66613d0bef2196944b
SHA1 hash:
0fccd518b2e0d47edc61a1101a0a688c0a164dac
Link:
https://www.unpac.me/results/05ca2992-ac03-4997-91fe-dda310fb1ad2/
SH256 hash:
682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
MD5 hash:
2239a58cc93fd94dc2806ce7f6af0a0b
SHA1 hash:
f09eb7d69bc7440d3d45e14267236a78ac789fcb
Link:
https://www.unpac.me/results/05ca2992-ac03-4997-91fe-dda310fb1ad2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/682abd62b6e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2452287/
Cape
Cape
https://www.capesandbox.com/analysis/344654/

Comments


Avatar
zbet commented on 2022-12-09 09:51:08 UTC

url : hxxp://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe