MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77b5cef1f46958b16b21d2fe4836130c1406832002beac168af7cfb3db4713ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77b5cef1f46958b16b21d2fe4836130c1406832002beac168af7cfb3db4713ff
SHA3-384 hash: 0a244d8c027fb7d7953e0bd9e1a17868b31d355b968b744966eeeab8c30c05d704da5d91ab016a5465d175d1c6864e4f
SHA1 hash: ffd830c762c2015b120acc25a24ecf8331047749
MD5 hash: cd334129fb0d8e174eca8566e0e542fe
humanhash: michigan-april-quiet-kilo
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:433'664 bytes
First seen:2022-12-06 21:10:43 UTC
Last seen:2022-12-06 21:49:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bc1ad5b4cc7227f84b5861bc5954325 (16 x Amadey, 5 x Smoke Loader, 1 x RedLineStealer)
ssdeep 6144:zicpZRsLJg+alhrpsmriQv89qIV2HUEUEU67bDLAWcoBlCdi1taVe:ziiZ61g+Idps97qIwKEU6fD3cWC+t3
TLSH T1F894DF10F2B1D473C5820A708819CBE179FDB470D968A95B77ED3B6F6E723E15A22306
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c11edecea6ac8ccc (199 x Amadey, 139 x Smoke Loader, 22 x RedLineStealer)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://194.110.203.101/puta/softwinx86.exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-06 21:12:59 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/d5af2c37-c776-448f-9925-4c0d17dba3a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343614/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a file
Creating a window
Delayed reading of the file
Searching for the window
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/638fafe7d4d7598ad904a0c4/reports/166e274f-7623-4e8b-afb8-39848c395a41/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3202c752-4dba-42a5-99d9-2704a2c58576
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129376
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77b5cef1f46958b16b21d2fe4836130c1406832002beac168af7cfb3db4713ff/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 21:11:10 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o62454punfmlc2zb2l7eqnqtbqkanazaak7kyfuk67h3hw2hcp7q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:@2023@ collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/221206-z1kw5sdf33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.73.133.72/hfk3vK9/index.php
193.106.191.138:32796
Unpacked files
SH256 hash:
a3cfc579d9b10cbfec8b6a55d2b1da18e7c7d341cba0c4e893456a806461e47d
MD5 hash:
9ae97cc75d1124552cae03c936288758
SHA1 hash:
bbc9dbaa1c521e33eb39ed64768a8ee79fa355ff
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/18fd7ef4-0323-45a8-9bc6-72e99babe28c/
Parent samples :
0291d21509c5756f3a107ad8910ed8ffb3b6da7682ddcd49d38139afde160788
6edd01e5ee00e6fdb91d2c1bcd58ca244e8d656a3628cc96d62fadc7c08ef33f
ea2985ba00b750de0f6a23949e442071ae7a809f2a586e15a4acc4ffd713fbd0
4f8f78fa26b8cec4ac3aebe88562c34cb33f500576842ed9fdfd2dc24554feae
1dc151c967138b1f4440f32bc8ccdf6974f5dbf857941b7841740d94122c6ca5
3a14340e8bbfe443eaf85140a43f8116098aedc313ed12d19e5792a52503c4d5
fc76bb87d992815131b6a39804a23c024e788c7a7bc4e55e614d20d8966cf256
f6dc7492d699180752d50257628aeb784e13c81c20678408b1dd8a01777f799e
e6fa2fdf4dd1c6b0acc94d8ae3709393564f67f30925b1e7e7508ee3356de6de
913ea954551a8fe340cc4c33c3d7b219ac53b9eb62f308cb2a9333dbc296def0
ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
8cb087d86258be00fbdb327c9bf8e4546e2373c39b3dfbd44833f5d32758bd22
61dba2e38b184c063eb4cd5922fbfda2802b79b38909b89f9c913d124e16fa8f
5781fe3a583f3ca8cad87569c1331c8d22d8df9528b6ce96b4fad5ba25ef2904
1616b76eb7c9493c3f0bf71cc3256ec08607e15ceb7758c6549bcc5b6fed8e9f
cceb75ae68e8a9ed006e36bd335ca011bfbce3c96de676c1d469bc65fb3894bb
f26c32c24ffed629126e12946176b9195717ec8f1172c59507280f963831ff5c
f145e2714bb6f12812a0fa86cbac0b0d7e830283fcbc0a521a926335edf4071b
de2df893fd6257f543b97ad732003a0cbed7abf488e4525129e3ac55faae3cb7
d93303f7803229e928fd94ae937fb588411e8fed97298eaeabbd6cbe67464ada
41fe913164b78e8bf6208c80c5e8985c518b33f12f711d6166e949b3fdec86d0
39330e4e7152d37161a2ce45f8b6dcd46168169779c2ee843e59761bda54cee2
75a04e0116dafb6686cde1c04ef187e16d3239bd347e9c45b77c76012468058b
719e081c6a88194949b02d81341bccee5daa93d746632d582801e22258025932
ee6bf93325dee4e7c26a96b17eae97617608e79052c5f204e7ae5f711f29c4f1
b7a63c44734521d4312d58bcfbcffec4fd809bc6f15f41e3e9c54d00678bef13
6f21814a1f99a8d173a6d49e6ba4f2cfac1b487836901b22cdc5cbb72ab91dca
79daba2b316483b8eafda3c1a0dd729571e0cd836850ca7056f2bdc0a8302af1
9530af7ce28558b63b65d128a8a123f2cd2a93fe5f2b89a43087b40e95d798c7
7a5dc9b020b2db83c02509a7671793176e4ead3b7fa902f9173769edd9942cd7
c3f33b61a8c1d216fd5cedf8bd44dfae0496420885507f415b26a3b0019a920f
4e287b3a67b43753b63cac1b1b300ccc25e4382eeb2eaf0a92915c1ced67f35e
2def13cf032bfe907d66f36357a77c82bd518b23bc51de8175c9f650026684de
77b5cef1f46958b16b21d2fe4836130c1406832002beac168af7cfb3db4713ff
ca44f54631582ab59996b46d35711cf8d24f840afb8ad4921904cbe6cd61f36f
2377661d79045ec2697eebbbd3f5499de423b32db5724eaeb8a5350bee7a7292
ab65f0ca3113dcd8055b8bb4c518d810bb7f74ad8687bb8e78391dfed6e5522f
f26b55984dd59880cff32b6b32b5dc11889d8a362318c335b98728a55caeffa1
33377ee850c860a724a0051abd997920ca84ffe1b3bf8983884e92ac4fb5c803
6b4a1d8fe24abe5c3936d87f69884eccba240ff6481a64e70f1ccca475f6c5cb
8aea4f8f0154c726773c0208ca850951972a21af7d5fcacf3ca3b57dea612b9e
1f159eaba19200a74e890d9045cd8f5e81bc3ff4b63eecfdc0c64d42cc1b0c6b
917130fe82a38054ad793b7dcc135fe5213f0f192037bb31b20168a9315dc79f
0a4174a69b0e01fefc64d10691910cfc94ec7b664701d7ebe2e80a8600d20a0c
316d11204024003d6efe50bd7b3053c1ef3b6e4fbf0430bfb135ea6663349fc3
1c6dc02bf809c9cdd9cb453b0f5bc2f55f15ac84af362005c8f3eed486f240da
c85256fef5467ac50c978ef721ee7b93577df33ebed17b6e01249a37c3d9f38e
4b27eeaa51353af66d44753874968115a77266054173ed9017321749c1f453a4
60a5fc0d13f1b46415990dd4190b85c78b1024e505f80b8a6f06267571c36cc4
2c73a4c147c834a1f9bd48b086fcbb3cd3bb212d1e5234a96adbafdf6c052799
49d4e0a39bd555e685c60928f3276c8b466136a8cae84deb1d51cf457ce253b7
f2e3d6690bb14457ebd60228e74de5f6494bb3d438a23f6f8b80a4234ec61396
30ab7ef804e070fd9a1e4e3d884b454accf066337a18408fa570cd53b222ef55
2710075581ab7fc2582e2f388bc91ae04553556b7bb0dcb01ae5c782fff43c43
55f35c99db5fe9930f33c66fdcc219504bebcd4e2d87b7e5a6d7e2ebab0bf2dd
089bf6d3928cde11a390d50b010dbfed4d8d49781bfa3e5a96877d10b3b4e19a
cd64f57bd9a9b878c59e49534efbea012d8ea2bf405c2550572b3bd2081635a7
7a99ed59d20b6a13820e954916836739c3e7ad7657304e04a8bbb8ce1670579c
c83fc650175865f001b91cc0cf603d736d80eea881496f28d90bf27f5276f86d
cf36b22d4a1ea43aac9fc03c3031042e71c036a74b75fd90e7a1612479c9e4cc
3959ecb7fac46689e47a75b3fb5276f73d71a9aaae7c233352ef9fa0ef54f81e
254a087aec75fd9fa36500f52b11eb2740abdcfeac150d04a5356e6c65244167
522bdc167a610d4cb5e562b3491bc04a84a77e9ca40dbabee1d8682e00480f19
abdef22afa2702db9dd9938084d4901196301e1d4e84d61a71b280f592ddf285
b8270246b7c8e7e86276d8cd6a7617b6c4ecd3298d2e8dcd66a02529c8d4e592
a5c537c7b6003cc06d6602ed94c89a0f18ff62d36f7c7037db36c9c6242bfd3a
ac8b6b12a8cbb0341367fb4427157962bce11a437fb638bff15fe7e54ae07cbf
9a04a0e50b6e87704d6f99e6692db5390f945292adb660f237b09f148a19babb
c3c4bcbce447663cbfdf28fb6a86e3f37633ecc21b508c3bfb965a7f89590cb9
6247f5833b3ced0f095c2c112be6c5ce4e1dc73bc5ce16a2f2a19c482e3a8add
7f60989c485e8b5eeb96cc14223904fff19081a6c75fde2e122910366c0f2426
db802fdcec2f0cce43fe8d60af846d00f63270db09d40bf7ee0bbbee510638d5
2e98d11a5d2d4f1c10e608acf8dbfd66c75fec1596fa3333ae22a0e9447b18e7
eaf8e544e1217f30b36c2fc8ffd9ff888480e71e1d45741cfa6f0d4b55fba6d3
f6d49f853455f10e46d966f44c668917c5adcc518adfab45049e10fdc4d5cce4
b5dcc54b59d910ce36963133c6e1c5f3239084c6026619b30d4ee789d5883d51
1803aa7630b50fa97c8b42e1e8194c2d6086beca952832fe65eca136f0d9a81c
abf9415990ae08bbced9a5174f7c999661a00f3b6f8e031d564f36635cb0f9db
10bac52513203428caa516ca23bb887a932b0de725fb3358fba519f66a7675ae
d9372827bef2b801d5930fbadb5d558edd2a9afe45b423235a5f102430670ce7
7c8dd45b33e01f52dca592c7482b5ebc81b2af2183e2764020afa89541df4454
1a5582870206ac18926ccfca85c05e906f2b3402746cae95fa926afcc5d03d7d
92ced5591b0e18c7c80a2ff9c4bb4598eb1157ecc0914f21d2a46aab77b978e1
bae5dff125b53003533e412b526a146d849062bf24d7f6010f4c9425a11ac1af
3862524093dffaf83c90ca05cc5a115ae2334ec4cd80a7bf541d7f80ca31226d
46fcad584efa0df64f673405637216ab623ebc50772abdd21216ebe14c3867b7
9940809bc94faa490d6ead096396ff920906b61027a1901cb9a70d5993c18b47
ad5ce6a89447b0d0be2802856e0274211c3f295ea14b17c182deb6f9afab640a
1affd7235d10f761fa376d91ba08df137f91547a8767033d961bd8bd77b7c81d
b0013678a5551085a4968f1b851a6aa271003f66dc5a0a3fb769cb1bf7a0f0a1
7385c54604a47eb402257633f7b863ab8d2babe11777909589adda6d59d3df72
b262ce8680c989a7b7555d38aff3ef43bb18ee4e3cec01488bcb8e69457146af
078ead7e76802ac4d820e3dfe95b0a78f7bfbcd0687c03a5dcc65c8a405a6892
0d578593cd94a4d32a0c42f9741c5460173e7dd96c57900f0ba1dc925980ca16
196d0616fb958f8b9f10ae79c0560f3074faaf500e25c25c756f396ec2eaee49
6c32561fc7df1e2c6f07a7dd7f98233c973325da43f8f00abdb01411c6f9216d
066bda2755115180dbc6726e4db07861b2a3d8f3582ce3db08592430e3cc7eb9
cd6329a56d8b4b480b73d44df1a481b7c528dcd8b397625defe12c4f58eab07b
66d2ac058d52e92f64820e9a96e0f13d7a1c19168599e17da9ecd5ce2ad7b8de
1398b06e4f4aa65cfda4870a59d7ad4bb2ab5e651330a3b27ec69b20b547ad70
05815505335a21e216d000e7ea2b37a0ee492b004af795705ab48e1f6936e103
f141a82d4789832bba3dec35da76d49593132abd861b3d6004e4f7f4175a8b78
c8a53ee0a7e9a0ccbeb9b6984a8578136130ef4ad7829ec5585567f9051048a4
1abf0a6c5d4cc2f05a6ae204eeb69102f94d540b0d1c3c8bafc975b91cf23340
343d029e0b55b3a9d0cf692863c6315639c5b995a9a5186978912635d86067db
55866a7f148cae4efc4d25d8486a8bdee1a3ffb0d162948908172229684d1592
e91bb1f7c2b2ffd094d3915f1fffbfe929efd49e1d732b51d60e8a378a8a066b
737abe150235ea858fddf75aacdda7518f0559e1583db8a71d512b251ff23fe9
3be783d9ad6beb8c15505432da9f53b9c689467bf3d17852480fcf805705554d
d3896da9af820820a5bacefb984caf28c9bcec23cc8cd36748b1d11be6befd29
83a710c18bd7783f284b6d2d84a6f4d4465094e2935ff4142cf0daab5b7f9e9c
26e6a766fa2d198adda24d038d1a3a6f11ecf9041c23775742526b195f5f014b
a82cf51f37a7b75e380753c719b887f9ccc684eb5acb3739ca5b6eccaca826a6
b3efb3d1a24c5e84b8b776b134cd8b493c968731e5abedabf16f5b5473c6860b
23922f24940fdde8be2fc3b0462fc6dc5f1acb10ac60654d55d2aeb5dc8e9d71
cb2139ca47f4358bd6f25f5981ef7b1e650436118a133c8713c1cd03c2b5a828
SH256 hash:
77b5cef1f46958b16b21d2fe4836130c1406832002beac168af7cfb3db4713ff
MD5 hash:
cd334129fb0d8e174eca8566e0e542fe
SHA1 hash:
ffd830c762c2015b120acc25a24ecf8331047749
Link:
https://www.unpac.me/results/18fd7ef4-0323-45a8-9bc6-72e99babe28c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77b5cef1f469/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77b5cef1f46958b16b21d2fe4836130c1406832002beac168af7cfb3db4713ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/343614/
  
URLhaus
https://urlhaus.abuse.ch/url/2403396/

Comments