MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 2 File information Comments

SHA256 hash:	6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa
SHA3-384 hash:	7f07f2338dcc4ebaaff4a48ea7cfa5ab81dfd65d79c992b18cfa701a87ce8640e7bc0f5c51112cb947178527d3028da0
SHA1 hash:	6e2c6c90a99a56dfa270ba632b004c11d838daec
MD5 hash:	7147c519ad7a99acdd4401acb55783e7
humanhash:	alabama-eight-cold-jersey
File name:	7147c519ad7a99acdd4401acb55783e7.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	417'792 bytes
First seen:	2024-09-25 11:10:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a11cbe8ba3528a436618e8dc32e663a6 (4 x Stealc, 1 x Amadey, 1 x LummaStealer)
ssdeep	6144:2epy2xHE4KMQyO267A2Hv2+704i2kVnNOTPnWK2LUmeeh7quN2TE:Zpy+HE4KIS77P2l4i2kVngTvWK42uNT
Threatray	21 similar samples on MalwareBazaar
TLSH	T146949D4392D5BFB0F5278A329E1ECAE9365DF8624E15776F225B6E1F24B01B1C123B01
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	10306844c0942800 (1 x Amadey)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
http://185.215.113.37/e2b1563c6670f193.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.215.113.37/e2b1563c6670f193.php	https://threatfox.abuse.ch/ioc/1328966/

Intelligence

File Origin

# of uploads :

# of downloads :

431

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7147c519ad7a99acdd4401acb55783e7.exe

Verdict:

Malicious activity

Analysis date:

2024-09-25 11:12:11 UTC

Tags:

stealer stealc loader exfiltration

Link:

https://app.any.run/tasks/45b5ea26-fe18-40f3-a233-5a5f8f1a33eb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66f3efc956c487103d525e27

Tags:

Infostealer Network Stealth Cobalt Lien Spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Connection attempt to an infection source

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/66f3efcd51c8a9eee1739d1e/reports/bf650635-a648-4c3d-94fb-9fcdd3e2594b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cedfb7c6-13e1-4ec6-ae81-9fc7d1904e86

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1518131

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2024-09-25 10:55:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nmr2xlvjk5unvdhj7rn6dx2qs4plu6oxnjj3plmm6yrynpsk5cva._file

Verdict:

malicious

Label(s):

stealc

shellcode_loader_002

Amadey

4f363d41d1e54162264275eb262685aa6508af2edfb2af7a1b1b95034ffa63ee

Amadey

5dea0d7ca0ceda1a20692bb09d5809b654729f6e790a29be3cd85366e361641c

Amadey

8f3b669882cbc3302feae900aaeb4abd04f613eb58b43428aff8bf222dd731cb

Amadey

ae3ae0f5f9d8e2911a2e7feecf26e9567ca3f4fe8a9b6c9d7f350c2db6e6e1eb

Amadey

e7d6fc3e8c20d867d0f36ea1f614881a748db6fd4cdd42c5dc98a4a0c2790792

Amadey

+ 11 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:save discovery stealer

Link:

https://tria.ge/reports/240925-m99weasakn/

Behaviour

Program crash

System Location Discovery: System Language Discovery

Stealc

Malware Config

C2 Extraction:

http://185.215.113.37

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/73854020-84a6-4b11-b91b-4dca497563a4

Unpacked files

SH256 hash:

d8546f99164fffd3bc7b952800f6b2464c2274a9ecea6189917cb8d5aceba451

MD5 hash:

f16af90f3657d850ff54444e057d3be2

SHA1 hash:

4e372737fb2e6cdbe47200577f9ed02304c77197

Detections:

stealc

Link:

https://www.unpac.me/results/0eb07c5c-067e-413b-b36a-d0eaf341a478/

Parent samples :

8f3b669882cbc3302feae900aaeb4abd04f613eb58b43428aff8bf222dd731cb
5dea0d7ca0ceda1a20692bb09d5809b654729f6e790a29be3cd85366e361641c
afabd219f0d644da4f9542932cbb5afcbcb0c66a2302c2353bb89447104cbb93
e7d6fc3e8c20d867d0f36ea1f614881a748db6fd4cdd42c5dc98a4a0c2790792
040a58a233ddf5f6bf49e3b5bd4a4fe5d8ae1d764e698b446ca08776863aafc4
4f363d41d1e54162264275eb262685aa6508af2edfb2af7a1b1b95034ffa63ee
6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa
2cef6d9917bbccdc5ffffbf7b687da70e673f3a5dc6923c715e4fc50e0115e17
76198db64bf16862b47203d12c9b9e3db2474b148cc79030a693a8dc281c1ccb
f6a3509d62ecfb46306ab67cd75d4addb466cdd9a76782889110ce50acd5f369

SH256 hash:

3986363fb8deb6927a153051c4d412001481d4cb60a113261c0e0402238bfef9

MD5 hash:

f5aa858b2cbbb784ca62b8891c9f557e

SHA1 hash:

f45f07667a035a43b06a5f43755e249a67a01f67

Link:

https://www.unpac.me/results/0eb07c5c-067e-413b-b36a-d0eaf341a478/

SH256 hash:

6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa

MD5 hash:

7147c519ad7a99acdd4401acb55783e7

SHA1 hash:

6e2c6c90a99a56dfa270ba632b004c11d838daec

Link:

https://www.unpac.me/results/0eb07c5c-067e-413b-b36a-d0eaf341a478/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe 6b23abaea95768da8ce9fc5be1df50971eba79d76a53b7ad8cf62386be4ae8aa

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3183446/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle WINHTTP.dll::WinHttpCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetDiskFreeSpaceExW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleInputA KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasExesLengthW KERNEL32.dll::GetConsoleAliasExesA KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateHardLinkA KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::GetWindowsDirectoryA KERNEL32.dll::GetFileAttributesA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample