MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b
SHA3-384 hash: a8de9e09efcb6f0634fb240c522f97058319b46c1fc040777a6fb94279c6490b8c23e233252b30f407d37ade2356ca70
SHA1 hash: 76fa961da3f87f1ca045bf37f71883fb4649a3e7
MD5 hash: 2d244458e27de830d4dedd8d99cc98c9
humanhash: low-burger-apart-snake
File name:6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'180'752 bytes
First seen:2023-01-30 20:10:26 UTC
Last seen:2023-01-30 21:56:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f540b6d6dcfc33b21d0deb0ccba24751 (3 x RedLineStealer, 2 x PrivateLoader, 2 x Amadey)
ssdeep 98304:X9VjGmi6Y+tlo4mL+C7epxzHuKbFmjBlIu2/OZFuHxMMMo:N0mi6v/OqxzOKbkv+/i0
Threatray 8'904 similar samples on MalwareBazaar
TLSH T16716233317655089E0E6CC3ACA3BFEE571F6426B8F82FC79659969C214314F2E207A47
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b4f066611d19999e (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe signed

Code Signing Certificate

Organisation:Verbatim Digital EVO-II 5Tb HDWG460EZSTA N300 (4096rpm) 4036Mb 0.5 Rtl
Issuer:Verbatim Digital EVO-II 5Tb HDWG460EZSTA N300 (4096rpm) 4036Mb 0.5 Rtl
Algorithm:sha1WithRSAEncryption
Valid from:2023-01-23T16:25:53Z
Valid to:2033-01-24T16:25:53Z
Serial number: 553d3caffdce00a444b8ada12d77912c
Thumbprint Algorithm:SHA256
Thumbprint: 231788f9b1463b0911f51a57ebf752a64ce8c30ed2873c37a31fc45e04fd0437
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Amadey C2:
http://62.204.41.92/n9dks3s/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
File_pass1234.zip
Verdict:
Malicious activity
Analysis date:
2023-01-26 20:09:21 UTC
Tags:
evasion opendir loader trojan amadey rat redline
Link:
https://app.any.run/tasks/aa490ead-b877-4d2e-be24-f3cd7a52f0eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358436/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65172129.13542.32562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
Replacing files
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Searching for analyzing tools
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63d82457447edb203a021913/reports/b5c3d740-cfc8-4c8b-9f35-6bcc622476f8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5141395-e26d-4c9b-8a87-91cbda24e2f6
Result
Threat name:
Amadey, Glupteba, Nymaim, PrivateLoader,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161945
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found C&C like URL pattern
Found Tor onion address
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS TXT record lookups
Queries the IP of a very long domain name
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses STUN server to do NAT traversial
Uses TOR for connection hidding
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 794700 Sample: 6e8b742abfee47d32d9f7287daa... Startdate: 30/01/2023 Architecture: WINDOWS Score: 100 123 45.12.253.98 CMCSUS Germany 2->123 125 www.profitabletrustednetwork.com 2->125 127 20 other IPs or domains 2->127 159 Snort IDS alert for network traffic 2->159 161 Malicious sample detected (through community Yara rule) 2->161 163 Antivirus detection for URL or domain 2->163 165 27 other signatures 2->165 10 6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9.exe 11 49 2->10         started        signatures3 process4 dnsIp5 141 23.254.227.214, 49702, 80 HOSTWINDSUS United States 10->141 143 vk.com 87.240.132.67, 443, 49704, 49705 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->143 145 16 other IPs or domains 10->145 85 C:\Users\...\uv5yAxhBTDbMmS2pDYhBTM5f.exe, PE32 10->85 dropped 87 C:\Users\...\oCeWxVVbIVspLjTZjTMBsWNq.exe, PE32 10->87 dropped 89 C:\Users\...\njruyJna_Caj1SAqnIfVQfzZ.exe, PE32 10->89 dropped 91 16 other malicious files 10->91 dropped 173 May check the online IP address of the machine 10->173 175 Creates HTML files with .exe extension (expired dropper behavior) 10->175 177 Disables Windows Defender (deletes autostart) 10->177 179 3 other signatures 10->179 15 UoxW8euIDsnnWVB9MYOMqf1R.exe 3 10->15         started        18 njruyJna_Caj1SAqnIfVQfzZ.exe 2 10->18         started        20 uv5yAxhBTDbMmS2pDYhBTM5f.exe 2 10->20         started        22 8 other processes 10->22 file6 signatures7 process8 dnsIp9 111 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 15->111 dropped 26 nbveek.exe 15->26         started        113 C:\Users\...\njruyJna_Caj1SAqnIfVQfzZ.tmp, PE32 18->113 dropped 31 njruyJna_Caj1SAqnIfVQfzZ.tmp 18->31         started        115 C:\Users\...\uv5yAxhBTDbMmS2pDYhBTM5f.tmp, PE32 20->115 dropped 33 uv5yAxhBTDbMmS2pDYhBTM5f.tmp 20->33         started        135 star-mini.c10r.facebook.com 157.240.253.35 FACEBOOKUS United States 22->135 137 siaoheg.aappatey.com 45.66.159.142 ENZUINC-US Russian Federation 22->137 139 2 other IPs or domains 22->139 117 C:\Users\user\AppData\Local\...\Install.exe, PE32 22->117 dropped 119 C:\Users\user\AppData\Local\...\Install.exe, PE32 22->119 dropped 121 C:\ProgramData\versionApp\SRIKA.exe, PE32+ 22->121 dropped 167 Tries to harvest and steal browser information (history, passwords, etc) 22->167 169 Sets debug register (to hijack the execution of another thread) 22->169 35 Install.exe 22->35         started        37 Install.exe 22->37         started        39 wscript.exe 22->39         started        file10 signatures11 process12 dnsIp13 147 62.204.41.92 TNNET-ASTNNetOyMainnetworkFI United Kingdom 26->147 149 176.113.115.183 SELECTELRU Russian Federation 26->149 93 C:\Users\user\AppData\Roaming\...\vina1.exe, PE32 26->93 dropped 105 21 other malicious files 26->105 dropped 181 Creates multiple autostart registry keys 26->181 41 moda.exe 26->41         started        44 cmd.exe 26->44         started        46 trena1.exe 26->46         started        48 druid.exe 26->48         started        95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->95 dropped 97 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 31->97 dropped 99 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 31->99 dropped 107 7 other files (6 malicious) 31->107 dropped 50 finalrecovery.exe 31->50         started        151 s3.pl-waw.scw.cloud 151.115.10.1 OnlineSASFR United Kingdom 33->151 153 infra-red.s3.pl-waw.scw.cloud 33->153 155 blue-tooth.s3.pl-waw.scw.cloud 33->155 109 4 other files (2 malicious) 33->109 dropped 54 786fiyon.exe 33->54         started        101 C:\Users\user\AppData\Local\...\Install.exe, PE32 35->101 dropped 56 Install.exe 35->56         started        103 C:\Users\user\AppData\Local\...\Install.exe, PE32 37->103 dropped 58 Install.exe 37->58         started        file14 signatures15 process16 dnsIp17 60 conhost.exe 44->60         started        62 cmd.exe 44->62         started        64 cacls.exe 44->64         started        69 3 other processes 44->69 129 45.12.253.56 CMCSUS Germany 50->129 131 45.12.253.72 CMCSUS Germany 50->131 133 45.12.253.75 CMCSUS Germany 50->133 71 C:\Users\user\AppData\Roaming\...\U8OISps.exe, PE32 50->71 dropped 66 U8OISps.exe 50->66         started        73 C:\Users\user\AppData\...\Hicaqypisu.exe, PE32 54->73 dropped 75 C:\Users\user\AppData\...\Sugalynaevi.exe, PE32 54->75 dropped 77 C:\Program Files\...\poweroff.exe, PE32 54->77 dropped 83 2 other malicious files 54->83 dropped 171 Multi AV Scanner detection for dropped file 54->171 79 C:\Users\user\AppData\Local\...\cutOGcB.exe, PE32 56->79 dropped 81 C:\Users\user\AppData\Local\...\mqtmVod.exe, PE32 58->81 dropped file18 signatures19 process20 signatures21 157 Multi AV Scanner detection for dropped file 66->157
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 13:36:00 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2fxikv75zd5glm7okd5viaugvs6232iyt7zibvmd2fsfehxfsnq._file
Verdict:
malicious
Similar samples:
1e2a0b1e41555f0855e803de4c338683bfe4f7a5cfa5c98f317ca0c81e4540f2
Amadey
58118ad06181c01a26b112125811572fc538e30feac43d50e459e116849484d9
Amadey
9144f86f1a56744a90b2c0651584b27cb774417b5a6f465ee1e487c55cf5c2c9
Amadey
94fe6e65c60ed095b190f9904598cb954344747b279f51298b1ac80fd422a210
Amadey
a305baba5d4c521c1197b6c6166b59dcdd913ed422bca63a7fb1af1f1449f826
Amadey
b1298ec9ff44e02af0c6d5d132c47aa89a97de749d29398ada458ee328a23a94
Amadey
c8e68829d61373241c04f6459dc316b66f7ed13d9a39736af6d7f107a23ae022
Amadey
db5eab62f5890af55b7a15cd15409dbadefc00c6084c1c886c5449aa42fdca10
Amadey
+ 8'894 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230130-yx89wseb6s/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
VMProtect packed file
PrivateLoader
Unpacked files
SH256 hash:
6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b
MD5 hash:
2d244458e27de830d4dedd8d99cc98c9
SHA1 hash:
76fa961da3f87f1ca045bf37f71883fb4649a3e7
Link:
https://www.unpac.me/results/2d96843e-a2a8-4063-a0fa-4ede23343f2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e8b742abfee47d32d9f7287daa0143565ed6f48c4ff9406ac1e8b2290f72c9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358436/

Comments