MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2b43b211d67ed0609ef84453212749a401057ac30abb9b06d54e0021b8c727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2b43b211d67ed0609ef84453212749a401057ac30abb9b06d54e0021b8c727
SHA3-384 hash: ead5a49f3a7b3c1366c29664cd423b949efc5bd452901beea3f0665a330c0b87624dd8c490ef3987c217965b52cc859a
SHA1 hash: c752fac2871f71950b656e797bf1460218f337ee
MD5 hash: 5042366fc8a3711d86f436285b41d5b1
humanhash: table-hot-diet-two
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:293'888 bytes
First seen:2022-12-16 10:42:53 UTC
Last seen:2022-12-16 12:50:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 915ad03d5b3522248c2c91d75d5158ed (2 x Smoke Loader, 1 x Amadey)
ssdeep 6144:n+htxLmN3xDrdgwOJyzIUkILYPNkQ/Optse8qMrc:n+htx23x9VThYPGv8n
TLSH T1A754E11172B0C032C16F1630C962D3E58A7EFD311E71E6473776B6AF6E30A91662B74A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acefecee6eae6 (50 x Smoke Loader, 41 x Amadey, 12 x RedLineStealer)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://31.41.244.228/fusa/bibar.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-16 10:45:18 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/eadcda44-4abe-4c3b-816d-1e3465b37f2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346958/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25082.5614.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Launching cmd.exe command interpreter
Creating a file
Creating a window
Delayed reading of the file
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending an HTTP GET request
Searching for synchronization primitives
Adding an access-denied ACE
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/639c4bb82443142ef33fa657/reports/c30d92ab-9642-4129-aa44-68dcc177d05b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88f10b73-09c7-4a7e-8118-ed9c34315e52
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1135637
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 768367 Sample: file.exe Startdate: 16/12/2022 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 Antivirus detection for dropped file 2->61 63 5 other signatures 2->63 8 file.exe 4 2->8         started        12 gntuud.exe 2->12         started        process3 file4 37 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 8->37 dropped 39 C:\Users\user\...\gntuud.exe:Zone.Identifier, ASCII 8->39 dropped 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Contains functionality to inject code into remote processes 8->77 14 gntuud.exe 18 8->14         started        signatures5 process6 dnsIp7 47 62.204.41.79 TNNET-ASTNNetOyMainnetworkFI United Kingdom 14->47 41 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 14->43 dropped 49 Detected unpacking (changes PE section rights) 14->49 51 Detected unpacking (overwrites its own PE header) 14->51 53 Creates an undocumented autostart registry key 14->53 55 2 other signatures 14->55 19 rundll32.exe 14->19         started        23 cmd.exe 1 14->23         started        25 schtasks.exe 1 14->25         started        file8 signatures9 process10 dnsIp11 45 192.168.2.5 unknown unknown 19->45 65 System process connects to network (likely due to code injection or exploit) 19->65 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->67 69 Tries to steal Instant Messenger accounts or passwords 19->69 71 2 other signatures 19->71 27 conhost.exe 23->27         started        29 cmd.exe 1 23->29         started        31 cacls.exe 1 23->31         started        35 4 other processes 23->35 33 conhost.exe 25->33         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b2b43b211d67ed0609ef84453212749a401057ac30abb9b06d54e0021b8c727/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 10:43:09 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmvuhmqr2z7naye67bcfgijhjgsacbl2ymflxgyg2vhaainyy4tq._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/221216-mr8wdshd3y/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
Malware Config
C2 Extraction:
62.204.41.79/fb73jc3/index.php
62.204.41.13/gjend7w/index.php
Dropper Extraction:
https://e-hemsire.net/data/avatars/config_20.ps1
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cc649a2e-0d13-40b7-8c47-431680bdd54a
Unpacked files
SH256 hash:
37de71b43236c63687b44f238a17cde5f16bea2b2ec8c29b0ea42b62de947d6d
MD5 hash:
c6524cc2cb091e23be6d9526d6bcbc99
SHA1 hash:
8a1fc0333392dcd9ff664f64ce88d7abdfd882dc
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/1729e4d1-2363-4ebc-8f28-158d3f44829b/
Parent samples :
37de71b43236c63687b44f238a17cde5f16bea2b2ec8c29b0ea42b62de947d6d
139bc389f27ec23fe7db7da0e2151dd9270405006436f574d8b374877fbc56ac
c24af6d60f79c88a2773ad721c75e238fa23b2deef492a4e53d9e80c26b8d515
fccdda51c44675e5bb1a7502d5839726d965e68b929da0539382f5b2ac6453cd
466fff7d17985b36d25929c69c2ebb77fc69cd7c6787b3eb10186d72e9f371a5
0bd7c50800f22bfd12972a196f08c283320f77ad43f55c2f93eea51af56caf09
a4d0b171f5a4c43419900bace58fdf350378a5faf6f6f0783eedeb89b0ca8709
a4b462b91fd2547c8075dd6242441770585c9928602747336557eb828ebb2a32
1be995f2c3ddc8138b3e218d2be1b9051d7a6bdfa32343f6460a7e04dcab761b
5fbb3c7eb946bb81be29c3c6649994ff4bcb0912a4f9febb6e8dfb5a4febf787
8620067481efc5236b040ea6a5037cb5b836542bc99280604d2ae0d216761bda
fbc8c87ffeb4b11cba53d890a2e551c4e440ff8f7e98b8ee1a619ddb6aebf76b
49b8a5cb23d6fce94b3a77c10a5b952a8176463df8c056a8c84273856888c9da
5f9376c01729d8e5dcdff078cec30b27b754bd7784cbeb33ed50bb642a0ded5e
fe4286b3f3670d576596f2c1d7aacade7e39d1af88cf1c958cf39edc3eb27beb
6b79f46697a2daa7bc7b10b8cb0a92b3e2fab532e33cde35e7cbd7a63e26b84c
a889a7963c98cc10ee86f6856fef11579f428f1ae96087c61285708bb3e47da8
d5f43a4b98ebd637c13a702b8e039263df1f26426e9d66046b73d83796efe23a
2ee1f969f33cc1b353c9940a38fbb400affe7ebed6b2ae77afdb049f0605a461
4dd17957183e00e640187280bfaf6ade1a00ee46b1007d0e469283532937b279
35f74a854c79e66daeafedfdb0b840e5bce7741a7c4bafb3337fd37d7b145486
4ac58be826decb6e4675274ac24f21f1d046e63650385f62317c510b1166ca98
5174033e521d0a883d4001dd6da77d25a1cc10d3fadbf5a92344bb50a813d452
1f531968c556a940ab0b6acdeec1e394aaf7f447c50817e293b3c68e68431f2b
3ae11a050a6e5c6a88778b3afc885c0969adb7ca883fe99da2e4aac5d572baa3
b44e1d8cae8233efa2c8e1ba0c1f8748ac7b972bd00102e96e49eaf9c31073b7
457286b0bd62182d690ccb5722cce4f9334242541bd8e021d2ff633ec75d2f41
47b82ca5e31f67829a98ca65171f1e09a54b70312138f0f7ab9b2bf2fa447cda
befbecea931a0ba1c40069703dde95f12358c7eaa0a4e814625591daae57dc0c
491304df863e36fa44b16600b6d093ee6a9a7621bc31630f19dd2c7aee38d4d8
4fed64c9fc6ddb0379ff5db8b5767f670c96d41d8c59863467712699590c2ba3
6c4a92d03501b353025d7f3b0a9caccba36f2f5350ccf9e83815afe421d86530
76c2aa864df2d8c0ab462601cc6315bb6a8d9a6750867be19ea3cfb1d0210522
e483a97e4f6e6da793da69f1d826055ba1f2c4f8870697f66d4788426417634a
7fa432168553f813e274fde1bb8f8c351c3eec40cd80cc84f1ea57276bf8189a
2fc5148746e9ec5a835a8abcbea18522bbf1d09208894f965b503b8a520e82ba
473770533032cf17f5dca6dfd878117177cb7c6dcb1dab9e318542dd548ca9af
f7a26f3ff53d12c4aeffb4dca26341257c84c877832dbc560c5286d2a1fb98e3
1c55306da129ddbd2cfac4c5c1ae879ec9d8d018ffadba3b9dab2bdb7b07cf9b
8fe9b1a112abfaee7e844160b7cd000345d69065e53ce2695359dd90ca079598
4fdbea91aaeae55fb9f7d78b2a2e730531fa0739ae2b1bc2b9f8708ce4a6bf25
aef5f37c4670d8a9be061f2f268cce170a024a6a15218849ee3fa2595ebff64e
ee5beda5d5190b9136795557d7953fcea11c0a985ad98d87f257ebec4786721f
d6a1b0ab62f384d759804e69e7d7b79e0ed8d27796821e493203f6bba12753d3
40808bdd1ee7795477a343adbc69dd34a1f559ae2d65caece3d2c2414406f312
df7ba219b78fea81734dcc68b2496bb78101778557b0937e06b5811c83ef8e19
28d8604c5446b8e8139563cb5b99544eb0ba3279f63695e3c238676c2570a82c
df2d9b0ec3e7dd2c4b0676f9b91fcd1e8b5b717def017e701c656abb4934e508
02862c35cb5c0d1a4c43deb26bd92c9ee7db83158fdce51b72551a32daf287ee
05847bf9a320e87d373b870a41aba44a977e0e8bbb170cb928d1b906fdc22b01
4cd3b53e0b35621bcd847793bfc7e8d41cd94499298f30590b9caf6ad85fce29
345053d24bcc3f51b681394d014e9eb9155991d67bebb5c1d0d7d6d4d1779b1d
543c323f3c52282bf0a8503c1238be8cbcf42a7381c1443e0847497202676149
d31e20009004dd2dad8cb39b0d253a172c88edadcae4d4235c4cc5386ce90a2f
72c59b064cba88f8abb3995ff1c623fe5314d6957b4272d32b2b6f1b85e74525
6ae5e78c78dd0f62c0d076a19cd113366ac0129886c137674c6c65560a1e08df
5b5fd761f0203e985d72976790f60787b5b752a7cc42ef6614bee765fa9620d8
c003850f3be7df00050a683e6e4369be3038dc57c509584e4eefb819ff0190a6
f4fc1d6c9f92420c81a8f649f9dd8da348b911bd3845be6ab00ffd08829c37e0
c410898f4adfab3ed20ce68332b94cb7564e9da97e3b21a8957cc0db55da6df7
ddb450789f57dffcaf891ede463553bc699b736054e801ba874272bf583bb630
952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4
40f77ba1740d6233b73bb02ad3c73df77b2612926b509648e4cb543f8f333db2
b1fe15394d3a406b37ce60bacb43aa513b13dcf07f726cf801d1ddf7b0022b30
4c7177113fb9022ac7ce2282f489e824846f0711ff71d7047cbea027e789a6db
96b9cd304dd60389dbd4feed81e8bc7712dcfd833049854fb36e35f3db56d6f6
52abae1585052f3b79a40fce29ea1b6d505545e145fb48df4294dbfc3e9ced5d
ea858f7c43d07795962dc46f78d74a6b2fdc720bbe3357eafcc0dfbd58b25509
7ca01759004cb3e81a463e92f75b141f8a4255308d1c3bdc3f5d3aa99c403a1e
fe34d279b90129e50db3a99f6fd5ce3ad2367b05afe3b3b2d2681ede2f96a6c1
bdfbe35dc850b536e93577067a6e79f2148691d81d41096f999584f450c24e58
d3711e3d5e5f3cf7e115bea8a8dd59948c5c7ccf60930bf88101ce8fadff8ffa
aa0e1d36a0c0eff28907aae4050f38e576228a67bba7c313c507d78f664d8215
906b6d347d54f34e76605ba55dbb41464fd392e09fbd3283da304a613a170294
76f53358df7fb36537cbfa5dcb9c6625d299438eb9ddabe1ca4897b9952b98da
b28e6758b344d350ef7545f734a4304af519d6439e0162b2e6c3509bff352d50
8c7429f299879081d88b42c483ed6859a6facbee8e257d6120d95513bc174e06
4fda6b2c736b0c3f539e17e64b10df890bd56e8fb044b0e43c12f98e2321fd28
df659e6350471addf6200bca3571a658511e9ccbc57a27707a33d8d096d08334
7777793cc9f294585bf69f5a935dd44b8246dea33231cde1adf738e205d9f988
d8f86de2df70991a48c9833e906bf0d39d731335e3055ecc1a32b150a5296709
be3d6933a41ef79dde37fc41546cabf8ecea067a2f19ba62f79586234bc23750
fee8358c18d8213b3402440a14e27a42843ebcb721d397c620484e107c11707a
6b2b43b211d67ed0609ef84453212749a401057ac30abb9b06d54e0021b8c727
6d8ec9353bb2e59cd687e526c71a6b9c9f2c88ff8a56c30b928e62e65046061d
a3b693f85dc7cca12fa3708fa4fc87ea2dda634ee5e3b07c03ab471d493aa30d
6cc55822beeb659db5a012f49e425b5ef485f230dbe2e34b92654127151ac8db
7d2fd14c2d3a0429e7dc1dda025e88ab606e0797aa6e6224a8f2f5dc25590d24
4e2d2f4dd505737ccf5773dd87004e846925b2c439acfdf4b05287b6cee4df46
09a779cf89b0271a88112d4bbb2c5605816c1934ea0ced097643d13ac95888a6
b9876958a1a59f4089fb41782ea64478aae57d1adc00e0f9d2c34434a14ba606
5eb90b93f807ef1c6274c6a41fc4813f824a9870f782234258064bc67b67dcab
e485011009f74cb1d7916897cd22732446b816632e67f234a7c606fe172da6c4
f9bcba9f3dc1e9e42cb9bbf2a28882d930912fbb9abfb6d49e9fde19a710c138
af7b4e3e2063ff59ca2a269c53e540ba073c68fa717c729c2cd16e500b4ad3ef
e39a8069df68c25abbadb9ffbe07bfa767cd9e7ad7c66f06f49dd9222953053f
cb2c92744e9408b81df6d78e92864d280635946b7d6de82e032124ac031ac100
ee4f8b57a8079b8446a1effa1607fad6101db23fe0babc908085c49838e25e5b
5543b79d3d3b2f2c11a940c6b50631ff95c0d9482f1c0c60587b44f15a868369
9fad79466fc46cab5d1e9be9102b681f1ce3fa01d3bee953a5bbe746405d1220
29b5a7bf5479282ee50ca64820553ef5e57ae1119afd59818b744cfb6fd8afe9
06d029aae48062ad1278b32434d9a96e517decc85ebec7c252e6ab06ea571907
060ead30f843c1a439e56b1422ddac4bd1ef23197bd9e5ef61edd2879df85d71
c8d7759b15c0e3fa20d0ba1d4839045b5b8526ac8c76e7fddea2fec660e1c8e3
2a6fd6e8cf284a66dbb99eb692611c76cbdde2002e7a7d8b41ae2a7c4dfcf148
4da8ae10342ef713db2a1305bcf799fab6f4eae54589087d7e4a84106df7b748
ca2c3019a2769626f3cc91b25e911399d3d200188176f9c34020d09721ac79cd
59b9148cf26869b24a1eb2048d2b103a6130c77c13e7f81ce5bd629690d03aa2
61c95dafe8842ec89699ed003c7175f07a8fc1ab18c175c696392cb795ed6187
SH256 hash:
6b2b43b211d67ed0609ef84453212749a401057ac30abb9b06d54e0021b8c727
MD5 hash:
5042366fc8a3711d86f436285b41d5b1
SHA1 hash:
c752fac2871f71950b656e797bf1460218f337ee
Link:
https://www.unpac.me/results/1729e4d1-2363-4ebc-8f28-158d3f44829b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b2b43b211d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b2b43b211d67ed0609ef84453212749a401057ac30abb9b06d54e0021b8c727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/346958/

Comments