MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 714fb77468c06eabe914f400ebda1eb96f192352dcad66c87fbbeb57368d4e02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 714fb77468c06eabe914f400ebda1eb96f192352dcad66c87fbbeb57368d4e02
SHA3-384 hash: 8c8ab107231d45b32f9190adb4a8dcf89de00b62f95cf6d288b39583d7a5ce700614b135adce352a4201d90a9ac6d5e7
SHA1 hash: 2937e2df2fee6e89dbcec94d4b727fb5b4222015
MD5 hash: ab0bbb68c9838d54f5fb172f679d68ea
humanhash: mockingbird-november-table-mobile
File name:ab0bbb68c9838d54f5fb172f679d68ea.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'477'120 bytes
First seen:2023-09-18 19:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 36723152dcc89be0d0104bd374001ada (74 x MysticStealer, 4 x RedLineStealer, 1 x Amadey)
ssdeep 24576:dz+H5HNcfv9Ds/IgdLL+uKNW2HwZpIvfBfqNb5ogAHJkjzO7FHdeP82qs:e5U9MIgdLLmNWNZpgqN+Jkj67FHMPEs
Threatray 2'137 similar samples on MalwareBazaar
TLSH T1B86513117290C072E83215760DE8EFBB0278A0614FE55E9B53E62B7D0BD3EC1DB66E16
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
62.72.23.19:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab0bbb68c9838d54f5fb172f679d68ea.exe
Verdict:
No threats detected
Analysis date:
2023-09-18 19:10:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7df9e41a-ffee-4c3f-9816-f6e869e5b33a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449445/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61167.5010.13750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Delayed writing of the file
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Modifying a system executable file
Launching a service
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Infecting executable files
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/6508a0c72d5fc006cad6a80b/reports/18c68b4c-0666-4b71-98b1-9eff21bcd09d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/714fb77468c06eabe914f400ebda1eb96f192352dcad66c87fbbeb57368d4e02
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5693b0ad-12e8-4636-a37d-6d9516882f22
Result
Threat name:
Amadey, Fabookie, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310304
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1310304 Sample: rXG01EfhVG.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 174 clients2.google.com 2->174 176 clients.l.google.com 2->176 196 Snort IDS alert for network traffic 2->196 198 Found malware configuration 2->198 200 Malicious sample detected (through community Yara rule) 2->200 202 16 other signatures 2->202 14 rXG01EfhVG.exe 1 2->14         started        17 explonde.exe 2->17         started        19 legota.exe 2->19         started        signatures3 process4 signatures5 242 Contains functionality to inject code into remote processes 14->242 244 Writes to foreign memory regions 14->244 246 Allocates memory in foreign processes 14->246 248 Injects a PE file into a foreign processes 14->248 21 AppLaunch.exe 1 4 14->21         started        24 conhost.exe 14->24         started        27 AppLaunch.exe 14->27         started        process6 file7 150 C:\Users\user\AppData\Local\...\z1373841.exe, PE32 21->150 dropped 152 C:\Users\user\AppData\Local\...\w4063769.exe, PE32 21->152 dropped 29 z1373841.exe 1 4 21->29         started        33 w4063769.exe 21->33         started        228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->228 230 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->230 signatures8 process9 file10 168 C:\Users\user\AppData\Local\...\z9276848.exe, PE32 29->168 dropped 170 C:\Users\user\AppData\Local\...\u5185883.exe, PE32 29->170 dropped 250 Antivirus detection for dropped file 29->250 252 Machine Learning detection for dropped file 29->252 35 z9276848.exe 1 4 29->35         started        38 u5185883.exe 29->38         started        172 C:\Users\user\AppData\Local\...\legota.exe, PE32 33->172 dropped 254 Multi AV Scanner detection for dropped file 33->254 41 legota.exe 33->41         started        signatures11 process12 dnsIp13 138 C:\Users\user\AppData\Local\...\z3686612.exe, PE32 35->138 dropped 140 C:\Users\user\AppData\Local\...\t8275221.exe, PE32 35->140 dropped 44 z3686612.exe 1 4 35->44         started        47 t8275221.exe 3 35->47         started        220 Writes to foreign memory regions 38->220 222 Allocates memory in foreign processes 38->222 224 Injects a PE file into a foreign processes 38->224 50 AppLaunch.exe 38->50         started        53 conhost.exe 38->53         started        192 5.42.65.80, 49719, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->192 194 77.91.68.78, 49716, 49717, 49718 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 41->194 142 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 41->142 dropped 144 C:\Users\user\AppData\Local\...\rockss.exe, PE32 41->144 dropped 146 C:\Users\user\AppData\...\deluxe_crypted.exe, PE32 41->146 dropped 148 3 other malicious files 41->148 dropped 226 Multi AV Scanner detection for dropped file 41->226 55 deluxe_crypted.exe 41->55         started        57 cmd.exe 41->57         started        59 schtasks.exe 41->59         started        61 rundll32.exe 41->61         started        file14 signatures15 process16 dnsIp17 162 C:\Users\user\AppData\Local\...\z6242158.exe, PE32 44->162 dropped 164 C:\Users\user\AppData\Local\...\s6076687.exe, PE32 44->164 dropped 63 s6076687.exe 1 44->63         started        66 z6242158.exe 1 4 44->66         started        166 C:\Users\user\AppData\Local\...\explonde.exe, PE32 47->166 dropped 256 Multi AV Scanner detection for dropped file 47->256 69 explonde.exe 47->69         started        178 77.91.124.82, 19071, 49715, 49737 ECOTEL-ASRU Russian Federation 50->178 180 185.215.113.25 WHOLESALECONNECTIONSNL Portugal 55->180 258 Antivirus detection for dropped file 55->258 260 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->260 262 Machine Learning detection for dropped file 55->262 264 3 other signatures 55->264 72 conhost.exe 55->72         started        74 conhost.exe 57->74         started        76 cmd.exe 57->76         started        78 cacls.exe 57->78         started        82 4 other processes 57->82 80 conhost.exe 59->80         started        file18 signatures19 process20 dnsIp21 266 Writes to foreign memory regions 63->266 268 Allocates memory in foreign processes 63->268 270 Injects a PE file into a foreign processes 63->270 84 AppLaunch.exe 63->84         started        87 conhost.exe 63->87         started        89 AppLaunch.exe 63->89         started        126 C:\Users\user\AppData\Local\...\r4212167.exe, PE32 66->126 dropped 128 C:\Users\user\AppData\Local\...\q0103806.exe, PE32 66->128 dropped 91 q0103806.exe 1 66->91         started        93 r4212167.exe 1 66->93         started        182 77.91.68.52, 49712, 49713, 49720 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 69->182 184 77.91.68.61, 49730, 49734, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 69->184 186 77.91.124.231, 49714, 49721, 49723 ECOTEL-ASRU Russian Federation 69->186 130 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 69->130 dropped 132 C:\Users\user\AppData\Local\...\sunor.exe, PE32 69->132 dropped 134 C:\Users\user\AppData\Local\Temp\...\vur.exe, PE32 69->134 dropped 136 7 other malicious files 69->136 dropped 272 Multi AV Scanner detection for dropped file 69->272 274 Creates an undocumented autostart registry key 69->274 276 Creates multiple autostart registry keys 69->276 278 Uses schtasks.exe or at.exe to add and modify task schedules 69->278 95 foto5445.exe 69->95         started        97 expo.exe 69->97         started        99 cmd.exe 69->99         started        101 2 other processes 69->101 file22 signatures23 process24 signatures25 204 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 84->204 206 Maps a DLL or memory area into another process 84->206 208 Checks if the current machine is a virtual machine (disk enumeration) 84->208 210 Creates a thread in another existing process (thread injection) 84->210 103 explorer.exe 84->103 injected 212 Writes to foreign memory regions 91->212 214 Allocates memory in foreign processes 91->214 216 Injects a PE file into a foreign processes 91->216 108 AppLaunch.exe 9 1 91->108         started        110 conhost.exe 91->110         started        112 WerFault.exe 23 9 93->112         started        114 conhost.exe 93->114         started        218 Machine Learning detection for dropped file 95->218 116 conhost.exe 95->116         started        118 conhost.exe 97->118         started        122 7 other processes 99->122 120 conhost.exe 101->120         started        process26 dnsIp27 188 77.91.68.29 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 103->188 190 192.168.2.1 unknown unknown 103->190 154 C:\Users\user\AppData\Roaming\auwfius, PE32 103->154 dropped 156 C:\Users\user\AppData\Local\Temp1C4.exe, PE32 103->156 dropped 158 C:\Users\user\AppData\Local\Temp\D833.exe, PE32 103->158 dropped 160 6 other malicious files 103->160 dropped 232 System process connects to network (likely due to code injection or exploit) 103->232 234 Benign windows process drops PE files 103->234 236 Hides that the sample has been downloaded from the Internet (zone.identifier) 103->236 124 rundll32.exe 103->124         started        238 Disable Windows Defender notifications (registry) 108->238 240 Disable Windows Defender real time protection (registry) 108->240 file28 signatures29 process30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/714fb77468c06eabe914f400ebda1eb96f192352dcad66c87fbbeb57368d4e02/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 19:11:06 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofh3o5diybxkx2iu6qaoxwq6xfxrsi2s3swwnsd7xpvvonunjyba._file
Verdict:
malicious
Similar samples:
17e6d489c82aafd9cb685806bf44acd6e2fc2c0fe5a249b16196ddecce66e348
Amadey
289ccb83e11c57ef0327798928f8733cb0ae7294fed7a5b22ce63d7380f4e949
Amadey
2f27f32ea2ee1aa1b5085855ff553dec50e29cb5bec11d950766605f8d2150d4
Amadey
854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c
Amadey
a4f8591f4d334bd38cefd3d69a596a495725aed03f7c434f5ed5b8bae51b4094
Amadey
adae27992594d21e3d9b08969d6159068b82c8c1cda9c9cc9a2390dbec26a9da
Amadey
b6dbab0251f7dc75749babd8a98c8072df0ae4bd9767198cf2381d667e2222f6
Amadey
cca65a9ffc4cc09af8e29a65071ff6b5c2b10086caa8ca201322fab28d46a48d
Amadey
ee74da6cbb63a8e1f33c490358537559fa15855ebaec6866888af4b2bf46cc9b
Amadey
+ 2'127 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:fabookie family:glupteba family:healer family:redline family:smokeloader botnet:0305 botnet:legendaryinstalls_20230918 botnet:monik botnet:up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230918-xvxyeacb91/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Modifies Windows Firewall
Amadey
DcRat
Detect Fabookie payload
Detects Healer an antivirus disabler dropper
Fabookie
Glupteba
Glupteba payload
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
77.91.124.82:19071
http://77.91.68.29/fks/
185.215.113.25:10195
62.72.23.19:80
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
8aaf9d49a4556f53432bc2f670362b15de752d7e185bead3f9e5aaa10bf9aa90
MD5 hash:
24b1ff14289c8954d7fb1b0cde8ed649
SHA1 hash:
2a9ce7ace481ca55c59ef3c8e8f7dfb04e0d8fad
Link:
https://www.unpac.me/results/5aedbb53-daf6-4ff4-9b39-e49c8c70145b/
SH256 hash:
714fb77468c06eabe914f400ebda1eb96f192352dcad66c87fbbeb57368d4e02
MD5 hash:
ab0bbb68c9838d54f5fb172f679d68ea
SHA1 hash:
2937e2df2fee6e89dbcec94d4b727fb5b4222015
Link:
https://www.unpac.me/results/5aedbb53-daf6-4ff4-9b39-e49c8c70145b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/714fb77468c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/714fb77468c06eabe914f400ebda1eb96f192352dcad66c87fbbeb57368d4e02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 714fb77468c06eabe914f400ebda1eb96f192352dcad66c87fbbeb57368d4e02

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/449445/

Comments