MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17
SHA3-384 hash: 15527e9acaf4dada99238cdca07e0fac26e7d17116be719b20e309a801b360bc61280987761a16d840f9d6f7a819d685
SHA1 hash: aadbfb4fcc6a8c76b8cc15a62d8e2d7d139a09f6
MD5 hash: bd3c9426f58b0aa58a0622b721f7c17f
humanhash: georgia-king-triple-nineteen
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'864'192 bytes
First seen:2024-11-24 09:21:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:f2WQLeJOxsLgCUbwqBgOlr3LaaQsxkw6k3Jb9Agk0B8r:+leJO6gDbwqBj5+LokRk3Jb9e
TLSH T10485336066174338D306C67A0E43BFC7F837EB12F2E15281CB5A616A51AF1263E73B95
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-24 09:23:35 UTC
Tags:
amadey botnet stealer loader stealc themida lumma
Link:
https://app.any.run/tasks/a9db96ed-2c4d-4d96-b2e2-52567b124279

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.5560.19819.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6742f03dd0583382434ac83d
Tags:
vmdetect autorun autoit lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6742f03b426b648292f3bdb3/reports/93e62783-75f8-432f-8dcd-0a0f8c4ae0bd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a6078b23-1088-4623-ab0e-e952c6ff4d4e
Result
Threat name:
Amadey, Credential Flusher, Cryptbot, Lu
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1561790
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561790 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 92 youtube.com 2->92 94 www.google.com 2->94 96 17 other IPs or domains 2->96 124 Suricata IDS alerts for network traffic 2->124 126 Found malware configuration 2->126 128 Antivirus detection for URL or domain 2->128 130 17 other signatures 2->130 10 skotes.exe 4 31 2->10         started        15 file.exe 5 2->15         started        17 c9ac8940e6.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 116 185.215.113.43, 49801, 49807, 49839 WHOLESALECONNECTIONSNL Portugal 10->116 118 185.215.113.16, 49845, 80 WHOLESALECONNECTIONSNL Portugal 10->118 120 31.41.244.11, 49813, 80 AEROEXPRESS-ASRU Russian Federation 10->120 80 C:\Users\user\AppData\...\df975f4fc1.exe, PE32 10->80 dropped 82 C:\Users\user\AppData\...\6d2b6a8d0b.exe, PE32 10->82 dropped 84 C:\Users\user\AppData\...\194fcc03d1.exe, PE32 10->84 dropped 90 7 other malicious files 10->90 dropped 158 Creates multiple autostart registry keys 10->158 160 Hides threads from debuggers 10->160 162 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->162 21 194fcc03d1.exe 38 10->21         started        25 df975f4fc1.exe 10->25         started        27 c9ac8940e6.exe 10->27         started        37 2 other processes 10->37 86 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->86 dropped 88 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->88 dropped 164 Detected unpacking (changes PE section rights) 15->164 166 Tries to evade debugger and weak emulator (self modifying code) 15->166 168 Tries to detect virtualization through RDTSC time measurements 15->168 170 Potentially malicious time measurement code found 15->170 29 skotes.exe 15->29         started        172 Query firmware table information (likely to detect VMs) 17->172 174 Found many strings related to Crypto-Wallets (likely being stolen) 17->174 176 Tries to harvest and steal ftp login credentials 17->176 180 2 other signatures 17->180 178 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->178 31 taskkill.exe 19->31         started        33 firefox.exe 19->33         started        35 msedge.exe 19->35         started        39 4 other processes 19->39 file6 signatures7 process8 dnsIp9 98 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 21->98 132 Antivirus detection for dropped file 21->132 134 Multi AV Scanner detection for dropped file 21->134 136 Detected unpacking (changes PE section rights) 21->136 150 7 other signatures 21->150 41 chrome.exe 21->41         started        44 msedge.exe 21->44         started        138 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->138 140 Machine Learning detection for dropped file 25->140 142 Modifies windows update settings 25->142 152 3 other signatures 25->152 100 property-imper.sbs 104.21.33.116 CLOUDFLARENETUS United States 27->100 154 2 other signatures 27->154 144 Tries to evade debugger and weak emulator (self modifying code) 29->144 156 2 other signatures 29->156 146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->146 47 conhost.exe 31->47         started        106 6 other IPs or domains 33->106 55 2 other processes 33->55 102 sb.scorecardresearch.com 18.165.220.66 MIT-GATEWAYSUS United States 35->102 104 13.91.222.61 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->104 108 14 other IPs or domains 35->108 110 2 other IPs or domains 37->110 148 Binary is likely a compiled AutoIt script file 37->148 49 taskkill.exe 37->49         started        51 taskkill.exe 37->51         started        53 taskkill.exe 37->53         started        57 4 other processes 37->57 59 2 other processes 39->59 signatures10 process11 dnsIp12 112 192.168.2.5, 443, 49703, 49704 unknown unknown 41->112 114 239.255.255.250 unknown Reserved 41->114 61 chrome.exe 41->61         started        64 chrome.exe 41->64         started        182 Monitors registry run keys for changes 44->182 66 conhost.exe 49->66         started        68 conhost.exe 51->68         started        70 conhost.exe 53->70         started        72 conhost.exe 57->72         started        74 conhost.exe 57->74         started        76 chrome.exe 57->76         started        signatures13 process14 dnsIp15 122 www.google.com 142.250.181.68 GOOGLEUS United States 61->122 78 msedge.exe 66->78         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-24 09:22:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofjch6oyzp7umqdzn6kqkssuvk5iubwheform6qt3hy6x6f4d4lq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:stealc botnet:9c9aa5 botnet:mars credential_access discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/241124-lbw18atlez/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
CryptBot
Cryptbot family
Detects CryptBot payload
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bd0a2b72-555b-431f-b96d-4eb3233c62cc
Unpacked files
SH256 hash:
2ec3ec21c380c347ae23105ecd9ad13933668c2a851f3c907184f91b140d99d7
MD5 hash:
30cdd10682338b2cb435f7f40974dd5f
SHA1 hash:
19a28d012cd1e676a5f842dd07f8ecce5ffb1aca
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/81dab8ed-b5ff-4426-9c25-2a5a344744c6/
SH256 hash:
715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17
MD5 hash:
bd3c9426f58b0aa58a0622b721f7c17f
SHA1 hash:
aadbfb4fcc6a8c76b8cc15a62d8e2d7d139a09f6
Link:
https://www.unpac.me/results/81dab8ed-b5ff-4426-9c25-2a5a344744c6/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/715223f9d8cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/
  
URLhaus
https://urlhaus.abuse.ch/url/3273372/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments