MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4
SHA3-384 hash: 639d5091c9fac5670b132b3d99b73cd2f5af1c6cbcd2f1133f90f7c5ec18290b3e112957310b99906ef23651a598f66e
SHA1 hash: 263410e5468c34b22002ddd6c38c0edec54c5130
MD5 hash: 85063be1269280d47cd7a92ac929e8d7
humanhash: failed-jersey-romeo-utah
File name:ama.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'373'368 bytes
First seen:2024-01-03 00:47:54 UTC
Last seen:2024-01-03 04:47:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ea02e00483c90b3f210e2d517ab619a (14 x Amadey, 2 x CoinMiner)
ssdeep 98304:aXQL86ZtG2fZyxobYPe9qVg8xhctOiJbA/N5NOL9L+xBgq:aXCU2fZWCYPe9uhg8iG2R
TLSH T17E16338252B7A108C509ECB150B67861D23DFF9B3C23A4F737057D7F2A5264A252BE1E
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
dhash icon e8e09686b2b296d4 (1 x Amadey)
Reporter adm1n_usa32
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
gh0st
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-01-02 17:20:43 UTC
Tags:
hausbomber loader gh0stcringe gh0st remote rat stealer opendir raccoon phorpiex trojan evasion risepro socks5systemz proxy rhadamanthys purplefox backdoor azorult parallax dupzom servstart keylogger stealc redline doina nitol amadey botnet redosdru remcos
Link:
https://app.any.run/tasks/fa12c9c1-9032-48f1-b9a3-085603e206e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a file
Delayed reading of the file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching the process to change network settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
78%
Tags:
epmpress lolbin mpress overlay packed packed packed shell32 xpack
Link:
https://www.filescan.io/uploads/6594aec310642636b38bd498/reports/d4757a08-a7ab-4dd8-a941-1145f7079dd3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3827cba7-9210-43a8-915a-8ab5162297c1
Result
Threat name:
Amadey, RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369095
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1369095 Sample: ama.exe Startdate: 03/01/2024 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 14 other signatures 2->67 8 ama.exe 4 2->8         started        12 hv.exe 2->12         started        14 hv.exe 2->14         started        16 2 other processes 2->16 process3 file4 49 C:\Users\user\AppData\Local\...\Utsysc.exe, MS-DOS 8->49 dropped 83 Detected unpacking (changes PE section rights) 8->83 85 Query firmware table information (likely to detect VMs) 8->85 87 Tries to evade debugger and weak emulator (self modifying code) 8->87 18 Utsysc.exe 1 22 8->18         started        89 Writes to foreign memory regions 12->89 91 Allocates memory in foreign processes 12->91 93 Sample uses process hollowing technique 12->93 23 RegAsm.exe 12->23         started        95 Injects a PE file into a foreign processes 14->95 25 RegAsm.exe 6 14->25         started        97 Hides threads from debuggers 16->97 99 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->99 101 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->101 signatures5 process6 dnsIp7 55 185.172.128.32, 49723, 80 NADYMSS-ASRU Russian Federation 18->55 57 185.172.128.5, 49719, 49720, 49721 NADYMSS-ASRU Russian Federation 18->57 41 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 18->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\hv.exe, PE32 18->43 dropped 45 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 18->45 dropped 47 2 other malicious files 18->47 dropped 69 Multi AV Scanner detection for dropped file 18->69 71 Detected unpacking (changes PE section rights) 18->71 73 Query firmware table information (likely to detect VMs) 18->73 77 8 other signatures 18->77 27 hv.exe 6 18->27         started        31 rundll32.exe 18->31         started        33 schtasks.exe 1 18->33         started        75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 file8 signatures9 process10 file11 51 Basis_for_modeling_and_calculations.exe, PE32 27->51 dropped 53 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 27->53 dropped 103 Multi AV Scanner detection for dropped file 27->103 105 Writes to foreign memory regions 27->105 107 Allocates memory in foreign processes 27->107 111 2 other signatures 27->111 35 RegAsm.exe 12 27->35         started        109 System process connects to network (likely due to code injection or exploit) 31->109 39 conhost.exe 33->39         started        signatures12 process13 dnsIp14 59 194.26.29.153 RELIABLESITEUS unknown 35->59 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->79 81 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->81 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-01-03 00:48:08 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
19 of 22 (86.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obt67qs4cmzamvyimxvy5add2wmjjzndyrl6fb6kaugw7q6rqlka._file
Verdict:
unknown
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey evasion spyware stealer trojan
Link:
https://tria.ge/reports/240103-g67c8acbak/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://185.172.128.5
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/344eb4e4-2998-4590-8bdf-a84eae042bef/
SH256 hash:
3c13130e9815e93dcffec35f726a4e7368740e2f3669a8966435e1e19fb6dedb
MD5 hash:
c358ebddab1181cf7a1928c25288e9f3
SHA1 hash:
4df3bca9b11ce55e656f08aec2864fcb35329f5d
Detections:
win_amadey
Create hunting rule
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/344eb4e4-2998-4590-8bdf-a84eae042bef/
SH256 hash:
7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4
MD5 hash:
85063be1269280d47cd7a92ac929e8d7
SHA1 hash:
263410e5468c34b22002ddd6c38c0edec54c5130
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/344eb4e4-2998-4590-8bdf-a84eae042bef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Amadey
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:mpress_2_xx_x86
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX x86 - no .NET
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 7067efc25c133206570865eb8e8063d59894e5a3c457e287ca050d6fc3d182d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2739361/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2733669/
  
URLhaus
https://urlhaus.abuse.ch/url/2737075/
  
URLhaus
https://urlhaus.abuse.ch/url/2744395/

Comments