MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6afdfee605fea7f98b5be7fd4a50bc24181929a22530fdd01c2bc4f012ee4ba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6afdfee605fea7f98b5be7fd4a50bc24181929a22530fdd01c2bc4f012ee4ba2
SHA3-384 hash: 4943fdd21694cdbc297e370c9ca7a0025811a7323b6a29db30848e85bfce733ab333492c8f9760af21202c784f61db35
SHA1 hash: 624dab4529371a4da07ed1c37be63184c037e859
MD5 hash: 56cc19876a0f45d09f7f409289b254b6
humanhash: colorado-fix-potato-black
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:258'048 bytes
First seen:2022-11-12 02:58:53 UTC
Last seen:2022-11-12 04:41:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b3624c9de84346baaf052b30f634ca89 (12 x Smoke Loader, 10 x Amadey, 8 x CoinMiner)
ssdeep 6144:EZ0w6vThLZILheYji+H+0n3Tp9/TNzuLO7C:EZ0w6l9ILheYuXaTfNkg
Threatray 1'423 similar samples on MalwareBazaar
TLSH T11444E1227AC2C4B2C55315328921DA92EABFF431F5B5694737A81F3D5F702D2AA3131B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 25ac137031939b91 (10 x Smoke Loader, 7 x Amadey, 5 x Tofsee)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://193.56.146.244/img/icon/film02.exe

Intelligence

File Origin
# of uploads :
24
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-12 03:38:52 UTC
Tags:
trojan amadey stealer loader
Link:
https://app.any.run/tasks/7f83d303-ec64-4ba2-9cb4-e02177891223

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332742/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.26038.9862.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a file
Delayed reading of the file
Searching for the window
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/636f0bf7651d1d5cca648b42/reports/6e067151-0c1f-4db8-9306-859fa9156d8d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71ccab54-6820-4613-9345-ab98d529af89
Result
Threat name:
Amadey, Eternity Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111655
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected Eternity Stealer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 744351 Sample: file.exe Startdate: 12/11/2022 Architecture: WINDOWS Score: 100 121 Multi AV Scanner detection for domain / URL 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for dropped file 2->125 127 12 other signatures 2->127 11 file.exe 4 2->11         started        15 rovwer.exe 2->15         started        17 lego.exe 2->17         started        process3 file4 97 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 11->97 dropped 99 C:\Users\user\...\rovwer.exe:Zone.Identifier, ASCII 11->99 dropped 183 Detected unpacking (changes PE section rights) 11->183 185 Detected unpacking (overwrites its own PE header) 11->185 187 Contains functionality to inject code into remote processes 11->187 19 rovwer.exe 1 21 11->19         started        signatures5 process6 dnsIp7 107 193.56.146.243 LVLT-10753US unknown 19->107 109 77.73.134.245 FIBEROPTIXDE Kazakhstan 19->109 87 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 19->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\lego.exe, PE32 19->89 dropped 91 C:\Users\user\AppData\Local\...\lego[1].exe, PE32 19->91 dropped 93 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 19->93 dropped 139 Detected unpacking (changes PE section rights) 19->139 141 Detected unpacking (overwrites its own PE header) 19->141 143 Creates an undocumented autostart registry key 19->143 145 3 other signatures 19->145 24 lego.exe 3 19->24         started        28 rundll32.exe 19->28         started        31 schtasks.exe 1 19->31         started        file8 signatures9 process10 dnsIp11 95 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 24->95 dropped 147 Multi AV Scanner detection for dropped file 24->147 149 Machine Learning detection for dropped file 24->149 33 rovwer.exe 3 30 24->33         started        119 192.168.2.3 unknown unknown 28->119 151 System process connects to network (likely due to code injection or exploit) 28->151 153 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->153 155 Tries to steal Instant Messenger accounts or passwords 28->155 157 Tries to steal Mail credentials (via file / registry access) 28->157 38 conhost.exe 31->38         started        file12 signatures13 process14 dnsIp15 101 193.56.146.174 LVLT-10753US unknown 33->101 103 8.8.8.8 GOOGLEUS United States 33->103 105 2 other IPs or domains 33->105 79 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 33->79 dropped 81 C:\Users\user\AppData\Roaming\...\stub.exe, PE32 33->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\becr.exe, PE32 33->83 dropped 85 5 other malicious files 33->85 dropped 133 Multi AV Scanner detection for dropped file 33->133 135 Machine Learning detection for dropped file 33->135 137 Creates multiple autostart registry keys 33->137 40 stub.exe 33->40         started        44 20K.exe 33->44         started        46 rundll32.exe 33->46         started        48 2 other processes 33->48 file16 signatures17 process18 dnsIp19 111 208.95.112.1 TUT-ASUS United States 40->111 113 149.154.167.99 TELEGRAMRU United Kingdom 40->113 117 3 other IPs or domains 40->117 159 Antivirus detection for dropped file 40->159 161 Multi AV Scanner detection for dropped file 40->161 163 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->163 179 3 other signatures 40->179 50 cmd.exe 40->50         started        53 cmd.exe 40->53         started        115 151.80.89.233 OVHFR Italy 44->115 165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->165 167 Machine Learning detection for dropped file 44->167 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->169 181 2 other signatures 44->181 171 System process connects to network (likely due to code injection or exploit) 46->171 173 Tries to steal Instant Messenger accounts or passwords 46->173 175 Tries to steal Mail credentials (via file / registry access) 46->175 177 Tries to harvest and steal ftp login credentials 46->177 55 conhost.exe 48->55         started        57 conhost.exe 48->57         started        59 cmd.exe 1 48->59         started        61 5 other processes 48->61 signatures20 process21 signatures22 129 Uses netsh to modify the Windows network and firewall settings 50->129 131 Tries to harvest and steal WLAN passwords 50->131 63 conhost.exe 50->63         started        65 chcp.com 50->65         started        67 netsh.exe 50->67         started        69 findstr.exe 50->69         started        71 conhost.exe 53->71         started        73 chcp.com 53->73         started        75 netsh.exe 53->75         started        77 findstr.exe 53->77         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6afdfee605fea7f98b5be7fd4a50bc24181929a22530fdd01c2bc4f012ee4ba2/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 02:59:08 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nl675zqf72t7tc23476uuuf4eqmbsknceuyp3ua4fpcpaexojora._file
Verdict:
malicious
Similar samples:
0d866ee6b07e3b9bcd19a12c6b93f015d82093acc0ccf1af1741140f558177c4
Amadey
354957fdc882b57aa2b9241df13016f060c10a8ba2b5a212275ed00cfbbb28fc
Amadey
4028f6322698f9a78eee0de8e2118b9d1c0aa5939196efd594d116bbf6ff3f62
Amadey
4d75f10d3bc192a274ec9a8b1109dbe14c8af8e00e5f060a7f85100a6d1ac4cb
Amadey
62ded00f0b6ffc4bccf4e0f55904ec4a8087b52db72d529f59e89c5fb7eb62e4
Amadey
670a77299cc43ed77f0811153b06478725f2bd8b095244ba3b2071f35438cb12
Amadey
73ea68bb388de7614498548ac733c0fe81222cf49cc2e98926ac6cb74c3f943a
Amadey
ae5fc487e5bd101fdb46e1ff7cb0458834d9fff046c00773edd88e80caaae420
Amadey
f064e9cf6dd4136d31d2c88f09ab703998f9a74be3aabe2e2932d26845159ae0
Amadey
f87314ddb600d584aa1db070b371ffcc1ca63a85047d4e5e3c9f638d8804cc33
Amadey
+ 1'413 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:arrowrat family:eternity family:redline botnet:@noxycloud botnet:@redlinevip cloud (tg: @fatherofcarders) botnet:boy botnet:client collection discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221112-dgqsdsdd32/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
ArrowRat
Detect Amadey credential stealer module
Eternity
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.73.134.241:4691
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
151.80.89.233:13553
85.192.63.57:34210
213.239.219.58:1337
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6db34312-47fc-46b7-8e23-ff1cbd32b0ad
Unpacked files
SH256 hash:
18a38fa6f5b306243d99621556af948a61daed29619ab755e25010f9e254c6bd
MD5 hash:
089244606219da1ac0532e9dab766427
SHA1 hash:
a72bd6fb00c6aaf58af7b0e798f9a74ca7975eac
Link:
https://www.unpac.me/results/34631974-479c-4f72-b146-a0963d9cb0b3/
SH256 hash:
6afdfee605fea7f98b5be7fd4a50bc24181929a22530fdd01c2bc4f012ee4ba2
MD5 hash:
56cc19876a0f45d09f7f409289b254b6
SHA1 hash:
624dab4529371a4da07ed1c37be63184c037e859
Link:
https://www.unpac.me/results/34631974-479c-4f72-b146-a0963d9cb0b3/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6afdfee605fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6afdfee605fea7f98b5be7fd4a50bc24181929a22530fdd01c2bc4f012ee4ba2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/332742/
  
URLhaus
https://urlhaus.abuse.ch/url/2400616/

Comments