MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65
SHA3-384 hash: 0c61fc4fdd6679b1e536ba21e6087014ac7a0586a1ad3fdb67b51ed09d73f11478e315f5b3e448f37d1ea1fbf8e0a6d3
SHA1 hash: 4e23852b7de7c0216cf82578febb708a64d0985a
MD5 hash: 02939e494407b4f1b7d569c8e2e4f670
humanhash: happy-orange-washington-hot
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'938'944 bytes
First seen:2024-08-11 04:06:08 UTC
Last seen:2024-08-11 04:17:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:gg8e7qvElALaCreZ27DH2XeZ8h+4t+iIUgI:gg2kALaPEH2OZ++4XZ
TLSH T12095335E6FBFA0ACD50C5776F7E880983981723660FD028BB316949A0B5DBA9DC05DF0
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
451
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-11 04:09:13 UTC
Tags:
amadey botnet stealer
Link:
https://app.any.run/tasks/e977dd8c-b0e8-44cc-83a8-0f94fa37f62b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.6061.21121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b838e7aa5b40be0a9ffe75
Tags:
Execution Generic Infostealer Network Stealth Trojan
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66b838e6b1392db6bab20f7f/reports/7544ad24-b27e-4ef6-972d-361ce6c26eef/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/57144447-2e21-4afa-9e93-ac0429faa807
Result
Threat name:
Amadey, DarkTortilla, PureLog Stealer, R
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1491182
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1491182 Sample: file.exe Startdate: 11/08/2024 Architecture: WINDOWS Score: 100 165 Multi AV Scanner detection for domain / URL 2->165 167 Found malware configuration 2->167 169 Malicious sample detected (through community Yara rule) 2->169 171 31 other signatures 2->171 10 axplong.exe 40 2->10         started        15 file.exe 5 2->15         started        17 axplong.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 149 185.196.11.123 SIMPLECARRIERCH Switzerland 10->149 151 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->151 157 2 other IPs or domains 10->157 125 C:\Users\user\AppData\Local\...\request.exe, PE32 10->125 dropped 127 C:\Users\user\AppData\Local\...\runtime.exe, PE32 10->127 dropped 129 C:\Users\user\AppData\Local\...\cookie250.exe, PE32 10->129 dropped 135 15 other malicious files 10->135 dropped 223 Hides threads from debuggers 10->223 225 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->225 227 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->227 21 file000.exe 10->21         started        24 runtime.exe 10->24         started        27 stealc_default.exe 10->27         started        32 6 other processes 10->32 131 C:\Users\user\AppData\Local\...\axplong.exe, PE32 15->131 dropped 133 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 15->133 dropped 229 Detected unpacking (changes PE section rights) 15->229 231 Tries to evade debugger and weak emulator (self modifying code) 15->231 233 Tries to detect virtualization through RDTSC time measurements 15->233 30 axplong.exe 15->30         started        153 184.28.90.27 AKAMAI-ASUS United States 19->153 155 127.0.0.1 unknown unknown 19->155 235 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->235 file5 signatures6 process7 dnsIp8 197 Multi AV Scanner detection for dropped file 21->197 215 3 other signatures 21->215 34 InstallUtil.exe 21->34         started        107 C:\Users\user\AppData\Local\Temp\Zinc, data 24->107 dropped 109 C:\Users\user\AppData\Local\Temp\Template, data 24->109 dropped 121 6 other malicious files 24->121 dropped 199 Writes many files with high entropy 24->199 39 cmd.exe 24->39         started        159 185.215.113.17 WHOLESALECONNECTIONSNL Portugal 27->159 111 C:\Users\user\AppData\...\softokn3[1].dll, PE32 27->111 dropped 113 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 27->113 dropped 115 C:\Users\user\AppData\...\mozglue[1].dll, PE32 27->115 dropped 123 9 other files (5 malicious) 27->123 dropped 201 Tries to steal Mail credentials (via file / registry access) 27->201 203 Found many strings related to Crypto-Wallets (likely being stolen) 27->203 217 4 other signatures 27->217 205 Detected unpacking (changes PE section rights) 30->205 207 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->207 219 4 other signatures 30->219 161 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 32->161 163 185.215.113.9 WHOLESALECONNECTIONSNL Portugal 32->163 117 C:\Users\user\msvcservice.exe, PE32 32->117 dropped 119 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 32->119 dropped 209 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->209 211 Installs new ROOT certificates 32->211 213 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->213 221 4 other signatures 32->221 41 RegAsm.exe 32->41         started        43 RegAsm.exe 5 4 32->43         started        45 RegAsm.exe 32->45         started        47 6 other processes 32->47 file9 signatures10 process11 dnsIp12 137 140.82.121.4 GITHUBUS United States 34->137 139 104.20.4.235 CLOUDFLARENETUS United States 34->139 147 4 other IPs or domains 34->147 93 C:\Users\...\zOmj3QszIT7Uk5vkhhd92RyY.exe, PE32 34->93 dropped 95 C:\Users\...\xOosheSTGuEHglPxlU3XUCMK.exe, PE32 34->95 dropped 97 C:\Users\...\xAf3o6QOru30ug0iOi3qgWev.exe, PE32 34->97 dropped 105 87 other malicious files 34->105 dropped 181 Drops script or batch files to the startup folder 34->181 183 Writes many files with high entropy 34->183 99 C:\Users\user\AppData\Local\...\Beijing.pif, PE32 39->99 dropped 185 Drops PE files with a suspicious file extension 39->185 49 Beijing.pif 39->49         started        53 cmd.exe 39->53         started        55 conhost.exe 39->55         started        67 7 other processes 39->67 101 C:\Users\user\AppData\...\LLtSxjcKpd.exe, PE32 41->101 dropped 103 C:\Users\user\AppData\...\InVwFxqodc.exe, PE32 41->103 dropped 187 Found many strings related to Crypto-Wallets (likely being stolen) 41->187 57 LLtSxjcKpd.exe 41->57         started        59 InVwFxqodc.exe 41->59         started        141 20.52.165.210 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->141 189 Tries to steal Crypto Currency Wallets 43->189 191 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->191 193 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->193 61 Conhost.exe 45->61         started        143 185.208.158.114 SIMPLECARRER2IT Switzerland 47->143 145 212.132.117.42 RMIFLGB United Kingdom 47->145 195 Multi AV Scanner detection for dropped file 47->195 63 schtasks.exe 47->63         started        65 conhost.exe 47->65         started        file13 signatures14 process15 file16 85 C:\Users\user\AppData\Local\...\MindLynx.pif, PE32 49->85 dropped 87 C:\Users\user\AppData\Local\...\i, data 49->87 dropped 89 C:\Users\user\AppData\Local\...\MindLynx.js, ASCII 49->89 dropped 173 Drops PE files with a suspicious file extension 49->173 175 Writes many files with high entropy 49->175 69 cmd.exe 49->69         started        71 cmd.exe 49->71         started        91 C:\Users\user\AppData\Local\Temp\40365\s, data 53->91 dropped 177 Multi AV Scanner detection for dropped file 57->177 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 57->179 73 conhost.exe 57->73         started        75 conhost.exe 59->75         started        77 conhost.exe 63->77         started        signatures17 process18 process19 79 conhost.exe 69->79         started        81 schtasks.exe 69->81         started        83 conhost.exe 71->83         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-08-11 05:01:19 UTC
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oweakyvq4ostksx6vnindppknrwyekyubk6svpeujstlvwvlrzsq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:stealc family:xmrig botnet:a51500 botnet:default botnet:fed3aa credential_access discovery evasion execution infostealer miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/240811-epmw5svapk/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
RedLine
RedLine payload
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
http://185.215.113.16
185.215.113.67:21405
185.215.113.9:12617
http://185.215.113.17
http://api.garageserviceoperation.com
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73c19a39-f545-4bd6-bf0b-678208326051
Unpacked files
SH256 hash:
e0763a274f94611482e132310b8a430e3244bcca2dbc5d1596af46cfc09cfa46
MD5 hash:
8df32f37431ccc8772495bbb68cacb64
SHA1 hash:
c49cc4b8421f2a03d2f63960a5ad08852f23cf16
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/92c9979e-0fb3-4629-a5ad-ee7780c94606/
SH256 hash:
75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65
MD5 hash:
02939e494407b4f1b7d569c8e2e4f670
SHA1 hash:
4e23852b7de7c0216cf82578febb708a64d0985a
Link:
https://www.unpac.me/results/92c9979e-0fb3-4629-a5ad-ee7780c94606/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75880562b0e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 75880562b0e3a5354afeab50d1bdea6c6d822b140abd2abc944ca6badaab8e65

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067427/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments