MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7
SHA3-384 hash:	f8e986fae509799294ad9f040fb1a1bcc4288bbc7d8ea6b027df8e7d1c9b272e4cb0cfd8dec95931fd6971a911124d42
SHA1 hash:	d03b2a44ebc4157c34461b0d4a223eff557481e2
MD5 hash:	f959d22abcd5b8b4b5d9535ac220c370
humanhash:	nuts-whiskey-indigo-jersey
File name:	f959d22abcd5b8b4b5d9535ac220c370.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'070'592 bytes
First seen:	2023-10-16 14:35:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:MyNzMRmqiG+yHQFU8qk2gvgd0grP1ApP3cr012:7NosIHfgoLP1ApPcr
TLSH	T14635235667E84035C9A677B050FA0AD303327DA34CB18A563B86E46F1CB35D8AD7633B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
95.217.30.187:8443

Intelligence

File Origin

# of uploads :

# of downloads :

328

Origin country :

Vendor Threat Intelligence

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/454917/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Creating a file

Launching a process

Sending a custom TCP request

Сreating synchronization primitives

Running batch commands

Creating a window

Searching for synchronization primitives

Searching for the browser window

DNS request

Blocking the Windows Defender launch

Disabling the operating system update service

Forced shutdown of a system process

Sending a TCP request to an infection source

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32

Link:

https://www.filescan.io/uploads/652d4a538d16e62970c814db/reports/40eb3f03-8fb4-4c8c-9976-bc7e6d65c4af/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/94d16fb0-2e1f-4f08-a4e6-a9c55ef8a52c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-10-16 14:36:05 UTC

File Type:

PE (Exe)

Extracted files:

151

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=npawud5l3py65etrmosylcuwj4ogzm5q4vwpwzneli6yxuhrw63q._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:@ytlogsbot botnet:breha botnet:kukish botnet:pixelscloud2.0 backdoor brand:google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan

Link:

https://tria.ge/reports/231016-rykjlaag32/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Program crash

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

Manipulates WinMonFS driver.

.NET Reactor proctector

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Windows security modification

Downloads MZ/PE file

Drops file in Drivers directory

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Modifies boot configuration data using bcdedit

DcRat

Detected google phishing page

Glupteba

Glupteba payload

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

Windows security bypass

Malware Config

C2 Extraction:

77.91.124.55:19071
http://77.91.68.29/fks/
85.209.176.128:80
185.216.70.238:37515

Unpacked files

SH256 hash:

5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

MD5 hash:

53e28e07671d832a65fbfe3aa38b6678

SHA1 hash:

6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

Link:

https://www.unpac.me/results/589380f2-f248-4a53-87d3-a98a0c9b6232/

SH256 hash:

935c1e0c950bf30a3581d9cc8e8c76b415474af263b4fd62104add745c6ebd6b

MD5 hash:

159e819ad3db871c3f2743975ed8c0d9

SHA1 hash:

ccc760ffece14208b32d8cdd34c193d4b0df51d6

Link:

https://www.unpac.me/results/589380f2-f248-4a53-87d3-a98a0c9b6232/

SH256 hash:

957fd845e3941fa3294fe6bd5ecab960651a7b445b39a97eb1339e9389c2273c

MD5 hash:

b8fc3344e1a44f40c62b8c7bd170d125

SHA1 hash:

011b0c7eb44e2069e7c757bb57b4c060def52611

Link:

https://www.unpac.me/results/589380f2-f248-4a53-87d3-a98a0c9b6232/

SH256 hash:

e07746ebbd6ede34d8f17138c57bbc599a695ed21f30374169d511098331c2f1

MD5 hash:

e88ac92954f81b958411a2ceb3bf65a0

SHA1 hash:

67f2717b81e1fc98a382a3a9a318daad25b8e2a6

Link:

https://www.unpac.me/results/589380f2-f248-4a53-87d3-a98a0c9b6232/

SH256 hash:

9d246a034a77b3e4bf92d9cff64139a77252e2b3e7f3cdb8cdb61fdd08ff5431

MD5 hash:

c38c5d276033f50fd3f478c55d18cf40

SHA1 hash:

ddbea413a9f872c02fb42326e84be9f0440693d9

Link:

https://www.unpac.me/results/589380f2-f248-4a53-87d3-a98a0c9b6232/

SH256 hash:

4d36e5b47852647773d6d2a20e70df7a20585f7fab658107f0b17bc3ee631329

MD5 hash:

2fb424b2606ea32c04ad9e9a2051bca1

SHA1 hash:

a93938e1b5dcb6083d14f39422dffa2432a587b9

Link:

https://www.unpac.me/results/589380f2-f248-4a53-87d3-a98a0c9b6232/

SH256 hash:

6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7

MD5 hash:

f959d22abcd5b8b4b5d9535ac220c370

SHA1 hash:

d03b2a44ebc4157c34461b0d4a223eff557481e2

Link:

https://www.unpac.me/results/589380f2-f248-4a53-87d3-a98a0c9b6232/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6bc16a0fabdb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Author:	qux
Description:	Detects exe does not have import table

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe 6bc16a0fabdbf1ee927163a5858a964f1c6cb3b0e56cfb65a45a3d8bd0f1b7b7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2715539/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/454917/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample