MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd
SHA3-384 hash: 059c158f1e9f94b1b6f8fe7eeced13bbed7495f6b7489b62cbb2aba36b2bcb2f74a538c9c765813fb74db6c32275436a
SHA1 hash: 401345950431dac490d1fad1ee42ac54f06e7ce4
MD5 hash: da4530c22123f908d8970aac2b3a455c
humanhash: salami-zulu-massachusetts-shade
File name:da4530c22123f908d8970aac2b3a455c.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:5'606'400 bytes
First seen:2025-03-09 12:38:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:AI+jlewhOVH75uWKdo1saEfYh1xLYHS3D8oCTQN7gCFoG+xAZ9HkYk84GrKU6FK/:AhjYP5umL/iy3jV9JEp8reUkKTlTzcf
TLSH T110463357E7E8C066E6D4E3F188FB1247063EBF502FA0214B1257486A1D9286A77317BF
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
da4530c22123f908d8970aac2b3a455c.exe
Verdict:
Malicious activity
Analysis date:
2025-03-09 12:50:42 UTC
Tags:
stealer amadey botnet lumma opendir loader stealc rdp themida
Link:
https://app.any.run/tasks/e32e9c8a-7086-4f65-befe-b67ffff5da0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cd8ea21f777fe3060857c4
Tags:
vmdetect phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB crypt explorer installer installer lolbin microsoft_visual_cc packed packed packer_detected rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/67cd8bf13c5f644bd949da12/reports/1ec54171-8095-4bbe-96a4-21296cbc2c8f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/56967e14-a2c8-4376-a69e-d5d8d8773fe0
Result
Threat name:
ScreenConnect Tool, Amadey, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1632948
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Creates files in the system32 config directory
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Enables network access during safeboot for specific services
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies security policies related information
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Possible COM Object hijacking
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632948 Sample: IFwhIemq7R.exe Startdate: 09/03/2025 Architecture: WINDOWS Score: 100 250 Found malware configuration 2->250 252 Malicious sample detected (through community Yara rule) 2->252 254 Antivirus detection for URL or domain 2->254 256 20 other signatures 2->256 13 IFwhIemq7R.exe 1 4 2->13         started        16 msiexec.exe 2->16         started        19 ScreenConnect.ClientService.exe 2->19         started        22 8 other processes 2->22 process3 dnsIp4 152 C:\Users\user\AppData\Local\...\y0s63.exe, PE32 13->152 dropped 154 C:\Users\user\AppData\Local\...\3s35x.exe, PE32 13->154 dropped 24 y0s63.exe 1 4 13->24         started        156 C:\Windows\Installer\MSIFCAA.tmp, PE32 16->156 dropped 158 C:\Windows\Installer\MSIF8C1.tmp, PE32 16->158 dropped 160 C:\Windows\Installer\MSID3D1.tmp, PE32 16->160 dropped 162 12 other malicious files 16->162 dropped 200 Enables network access during safeboot for specific services 16->200 202 Modifies security policies related information 16->202 27 msiexec.exe 16->27         started        29 msiexec.exe 16->29         started        31 msiexec.exe 16->31         started        166 176.97.112.17 ARCHERNETRU Ukraine 19->166 204 Reads the Security eventlog 19->204 206 Reads the System eventlog 19->206 33 ScreenConnect.WindowsBackstageShell.exe 19->33         started        36 ScreenConnect.WindowsClient.exe 19->36         started        38 ScreenConnect.WindowsClient.exe 19->38         started        168 185.125.50.8 INPLATLABS-ASRU Russian Federation 22->168 208 Contains functionality to start a terminal service 22->208 210 Changes security center settings (notifications, updates, antivirus, firewall) 22->210 212 Hides threads from debuggers 22->212 214 2 other signatures 22->214 40 MpCmdRun.exe 22->40         started        42 WerFault.exe 22->42         started        file5 signatures6 process7 file8 114 C:\Users\user\AppData\Local\...\2M8998.exe, PE32 24->114 dropped 116 C:\Users\user\AppData\Local\...\1w90A2.exe, PE32 24->116 dropped 44 1w90A2.exe 4 24->44         started        48 2M8998.exe 1 24->48         started        51 rundll32.exe 27->51         started        216 Creates files in the system32 config directory 33->216 218 Installs a global keyboard hook 33->218 220 Contains functionality to hide user accounts 36->220 53 conhost.exe 40->53         started        55 Conhost.exe 42->55         started        signatures9 process10 dnsIp11 140 C:\Users\user\AppData\Local\...\rapes.exe, PE32 44->140 dropped 290 Detected unpacking (changes PE section rights) 44->290 292 Contains functionality to start a terminal service 44->292 294 Tries to evade debugger and weak emulator (self modifying code) 44->294 306 4 other signatures 44->306 57 rapes.exe 6 91 44->57         started        164 104.21.16.1 CLOUDFLARENETUS United States 48->164 142 C:\Users\user\...\11ZE9MC43M0YZ5N4GVFE6A.exe, PE32 48->142 dropped 296 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->296 298 Query firmware table information (likely to detect VMs) 48->298 300 Found many strings related to Crypto-Wallets (likely being stolen) 48->300 302 Tries to steal Crypto Currency Wallets 48->302 62 11ZE9MC43M0YZ5N4GVFE6A.exe 48->62         started        144 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 51->144 dropped 146 C:\...\ScreenConnect.InstallerActions.dll, PE32 51->146 dropped 148 C:\Users\user\...\ScreenConnect.Core.dll, PE32 51->148 dropped 150 4 other malicious files 51->150 dropped 304 Contains functionality to hide user accounts 51->304 file12 signatures13 process14 dnsIp15 180 176.113.115.6 SELECTELRU Russian Federation 57->180 182 176.113.115.7 SELECTELRU Russian Federation 57->182 118 C:\Users\user\AppData\...\d3a84523e6.exe, PE32 57->118 dropped 120 C:\Users\user\AppData\...\1bc9980724.exe, PE32 57->120 dropped 122 C:\Users\user\AppData\...\384824acd2.exe, PE32 57->122 dropped 124 42 other malicious files 57->124 dropped 264 Detected unpacking (changes PE section rights) 57->264 266 Contains functionality to start a terminal service 57->266 268 Creates multiple autostart registry keys 57->268 276 3 other signatures 57->276 64 HmngBpR.exe 57->64         started        68 FvbuInU.exe 57->68         started        71 mAtJWNv.exe 57->71         started        73 5 other processes 57->73 270 Tries to detect sandboxes and other dynamic analysis tools (window names) 62->270 272 Tries to evade debugger and weak emulator (self modifying code) 62->272 274 Hides threads from debuggers 62->274 file16 signatures17 process18 dnsIp19 102 C:\Users\user\AppData\...\vcruntime140.dll, PE32 64->102 dropped 104 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 64->104 dropped 106 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 64->106 dropped 108 C:\Users\user\AppData\Local\...\DuiLib_u.dll, PE32 64->108 dropped 222 Found direct / indirect Syscall (likely to bypass EDR) 64->222 75 SplashWin.exe 64->75         started        170 104.21.80.1 CLOUDFLARENETUS United States 68->170 172 104.21.96.1 CLOUDFLARENETUS United States 68->172 178 2 other IPs or domains 68->178 224 Multi AV Scanner detection for dropped file 68->224 226 Detected unpacking (changes PE section rights) 68->226 228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 68->228 238 6 other signatures 68->238 230 Injects a PE file into a foreign processes 71->230 79 mAtJWNv.exe 71->79         started        82 WerFault.exe 71->82         started        174 149.154.167.99 TELEGRAMRU United Kingdom 73->174 176 104.21.69.194 CLOUDFLARENETUS United States 73->176 110 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 73->110 dropped 232 Detected unpacking (creates a PE file in dynamic memory) 73->232 234 Query firmware table information (likely to detect VMs) 73->234 236 Contains functionality to hide user accounts 73->236 240 2 other signatures 73->240 84 chrome.exe 73->84         started        86 msiexec.exe 73->86         started        88 Gxtuum.exe 73->88         started        file20 signatures21 process22 dnsIp23 126 C:\Users\user\AppData\...\vcruntime140.dll, PE32 75->126 dropped 128 C:\Users\user\AppData\...\msvcp140.dll, PE32 75->128 dropped 130 C:\Users\user\AppData\...\SplashWin.exe, PE32 75->130 dropped 132 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 75->132 dropped 278 Switches to a custom stack to bypass stack traces 75->278 280 Found direct / indirect Syscall (likely to bypass EDR) 75->280 90 SplashWin.exe 75->90         started        190 5.75.210.149 HETZNER-ASDE Germany 79->190 192 78.47.20.171 HETZNER-ASDE Germany 79->192 198 2 other IPs or domains 79->198 282 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 79->282 284 Found many strings related to Crypto-Wallets (likely being stolen) 79->284 286 Tries to harvest and steal ftp login credentials 79->286 288 3 other signatures 79->288 194 40.71.93.126 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 82->194 196 192.168.2.4 unknown unknown 84->196 134 C:\Users\...\Unconfirmed 569605.crdownload, PE32 84->134 dropped 136 9959fc61-f7be-44bf-8d38-f019c8ce6ec5.tmp, PE32 84->136 dropped 93 chrome.exe 84->93         started        138 C:\Users\user\AppData\Local\...\MSIEC8B.tmp, PE32 86->138 dropped file24 signatures25 process26 dnsIp27 258 Maps a DLL or memory area into another process 90->258 260 Switches to a custom stack to bypass stack traces 90->260 262 Found direct / indirect Syscall (likely to bypass EDR) 90->262 96 cmd.exe 90->96         started        184 2.23.246.101 QA-ISPQA European Union 93->184 186 13.107.246.60 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 93->186 188 16 other IPs or domains 93->188 signatures28 process29 file30 112 C:\Users\user\AppData\Local\Temp\yukbsspvqd, PE32 96->112 dropped 242 Injects code into the Windows Explorer (explorer.exe) 96->242 244 Writes to foreign memory regions 96->244 246 Found hidden mapped module (file has been removed from disk) 96->246 248 Switches to a custom stack to bypass stack traces 96->248 100 conhost.exe 96->100         started        signatures31 process32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-03-09 12:39:14 UTC
File Type:
PE (Exe)
Extracted files:
78
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nujedflnmw52ocssuhqjw6pn5fmwbrxiwncra577msqec6zbfhgq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
stealc
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:lumma family:redline family:sectoprat family:stealc family:stormkitty family:vidar botnet:092155 botnet:build 7 botnet:ir7am botnet:trump credential_access defense_evasion discovery execution infostealer persistence privilege_escalation rat spyware stealer trojan
Link:
https://tria.ge/reports/250309-pvpb9s1vfz/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Browser Information Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
RedLine
RedLine payload
Redline family
SectopRAT
SectopRAT payload
Sectoprat family
Stealc
Stealc family
StormKitty
StormKitty payload
Stormkitty family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Malware Config
C2 Extraction:
http://176.113.115.6
https://defaulemot.run/api
https://ibegindecafer.world/api
https://hgaragedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://nebdulaq.digital/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://acatterjur.run/api
https://garisechairedd.shop/api
https://0modelshiverd.icu/api
https://biochextryhub.bet/api
https://q8explorebieology.run/api
https://gadgethgfub.icu/api
https://moderzysics.top/api
https://5ktechmindzs.live/api
https://6codxefusion.top/api
https://7phygcsforum.life/api
https://techspherxe.top/api
https://earthsymphzony.today/api
https://dawtastream.bet/api
https://foresctwhispers.top/api
https://tracnquilforest.life/api
https://xcollapimga.fun/api
https://strawpeasaen.fun/api
https://jquietswtreams.life/api
https://starrynsightsky.icu/api
http://45.93.20.28
https://t.me/l793oy
https://steamcommunity.com/profiles/76561199829660832
101.99.92.190:40919
https://codxefusion.top/api
Dropper Extraction:
http://176.113.115.7/mine/random.exe
Verdict:
Malicious
Tags:
stealer redline c2 lumma_stealer lumma stealc
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/3c4b1bbc-9817-4294-b530-14eb96801909
Unpacked files
SH256 hash:
6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd
MD5 hash:
da4530c22123f908d8970aac2b3a455c
SHA1 hash:
401345950431dac490d1fad1ee42ac54f06e7ce4
Link:
https://www.unpac.me/results/cbced86b-b871-4dcf-aaaa-fafa72363dd4/
SH256 hash:
8a94e91e3e575adfd773d0be26c9cdd5b43d98ee17b43e00dbff1b78e39b5f98
MD5 hash:
ee81d7379de13ed780360fb8cceb0d0c
SHA1 hash:
8e7aaa26b318d4ad83faf06b7b1f7f88b42bfce7
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/cbced86b-b871-4dcf-aaaa-fafa72363dd4/
SH256 hash:
b5b3f2b5cbdfc4e594767ed3c8ba4c1b92ddbfcf37e5cd3d83dbd73d3145dfc3
MD5 hash:
79bccaea06661679d8b0b5424c020ac8
SHA1 hash:
5b2902e1762a951e5f72267a8621d23282a0f158
Link:
https://www.unpac.me/results/cbced86b-b871-4dcf-aaaa-fafa72363dd4/
SH256 hash:
21e40a1805501130662e6a2d132212b55f8627e2fdad6995fd0e476443b6c93b
MD5 hash:
e3e52de3f60f6e2d92ec7e584e1a5b56
SHA1 hash:
9f6d6f6eb6d16e8b969ba2a19a5bbc6fc1a6a9ae
Detections:
stealc
Create hunting rule
win_stealc_a0
Create hunting rule
win_stealc_w0
Create hunting rule
Link:
https://www.unpac.me/results/cbced86b-b871-4dcf-aaaa-fafa72363dd4/
SH256 hash:
923f3830ca0f02e7f54c45daec29d5181328e7be214ae41c9c416abbf24ba28f
MD5 hash:
164b2a3aaf79ca8929bab7a8a6bd72f0
SHA1 hash:
d2dd7c9e1c9a5998f8b7d639bf4808cc7efa8b44
Link:
https://www.unpac.me/results/cbced86b-b871-4dcf-aaaa-fafa72363dd4/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d1241956d65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Stealc
Create hunting rule
Author:kevoreilly
Description:Stealc Payload
Rule name:Stealer_Stealc
Create hunting rule
Author:Still
Description:attempts to match instructions/strings found in Stealc
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_2bba6bae
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_generic
Create hunting rule
Author:dubfib
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 6d1241956d65bba70a52a1e09b79ede95960c6e8b3451077ff64a0417b2129cd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3470471/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470479/
  
URLhaus
https://urlhaus.abuse.ch/url/3470476/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments