MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd
SHA3-384 hash: 641a715a6c845f9fce45d37f8f2f59f0c20ebc9a9197ba5e0307a43035ba504df939c13f755a17e2f1435933a1d01acd
SHA1 hash: 2323b4b01ea18b4478ecb41309e24d64ad52746d
MD5 hash: 62784b54dca4829a61e16d31b8e30f87
humanhash: grey-colorado-autumn-massachusetts
File name:setup.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'913'344 bytes
First seen:2024-07-29 23:05:47 UTC
Last seen:2024-07-29 23:40:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:tP1Dp0xtpy4XriZY20Tf7b7X34fYXmag9kUVVo:Z0vI4X2ZY20Tzb7XIf2GHo
TLSH T1C99533816E3BF15DE98682B323734769A433FF84AA1B8E357C1092B4A97F19F6715700
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Chainskilabs
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 23:07:31 UTC
Tags:
amadey botnet stealer themida
Link:
https://app.any.run/tasks/de440302-f7d7-48ee-95c5-3b74d115e942

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a8205fc06bd32e596e6611
Tags:
Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1a1493ef-27bb-47c7-850c-65f2d7ef8887
Result
Threat name:
Amadey, Babadeda, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484411
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1484411 Sample: setup.exe Startdate: 30/07/2024 Architecture: WINDOWS Score: 100 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 Antivirus / Scanner detection for submitted sample 2->167 169 15 other signatures 2->169 9 explorti.exe 1 23 2->9         started        14 setup.exe 5 2->14         started        16 msedge.exe 2->16         started        18 6 other processes 2->18 process3 dnsIp4 153 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->153 155 185.215.113.19 WHOLESALECONNECTIONSNL Portugal 9->155 109 C:\Users\user\AppData\...\c6addec1b1.exe, PE32 9->109 dropped 111 C:\Users\user\AppData\...\d60f088833.exe, PE32 9->111 dropped 113 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->113 dropped 119 3 other malicious files 9->119 dropped 189 Creates multiple autostart registry keys 9->189 191 Hides threads from debuggers 9->191 193 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->193 20 71e1364cab.exe 9->20         started        25 c6addec1b1.exe 9->25         started        27 d60f088833.exe 8 9->27         started        29 explorti.exe 9->29         started        115 C:\Users\user\AppData\Local\...\explorti.exe, PE32 14->115 dropped 117 C:\Users\...\explorti.exe:Zone.Identifier, ASCII 14->117 dropped 195 Detected unpacking (changes PE section rights) 14->195 197 Tries to evade debugger and weak emulator (self modifying code) 14->197 199 Tries to detect virtualization through RDTSC time measurements 14->199 31 explorti.exe 14->31         started        201 Maps a DLL or memory area into another process 16->201 33 identity_helper.exe 16->33         started        37 5 other processes 16->37 157 34.117.35.28 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 18->157 159 35.169.35.156 AMAZON-AESUS United States 18->159 161 184.28.90.27 AKAMAI-ASUS United States 18->161 203 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->203 35 firefox.exe 18->35         started        39 3 other processes 18->39 file5 signatures6 process7 dnsIp8 139 85.28.47.31 GES-ASRU Russian Federation 20->139 91 C:\Users\user\AppData\RoamingGDGDHJJDGH.exe, PE32 20->91 dropped 93 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->93 dropped 95 C:\Users\user\AppData\Local\...\random[2].exe, PE32 20->95 dropped 107 11 other files (7 malicious) 20->107 dropped 171 Antivirus detection for dropped file 20->171 173 Detected unpacking (changes PE section rights) 20->173 175 Detected unpacking (overwrites its own PE header) 20->175 187 8 other signatures 20->187 41 cmd.exe 20->41         started        97 C:\Users\user\AppData\Local\...\axplong.exe, PE32 25->97 dropped 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->177 179 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 25->179 43 cmd.exe 1 27->43         started        181 Multi AV Scanner detection for dropped file 31->181 183 Tries to evade debugger and weak emulator (self modifying code) 31->183 185 Hides threads from debuggers 31->185 45 axplong.exe 33->45         started        141 142.250.185.195 GOOGLEUS United States 35->141 143 142.250.186.106 GOOGLEUS United States 35->143 149 25 other IPs or domains 35->149 99 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 35->99 dropped 101 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 35->101 dropped 103 C:\Users\user\AppData\...\cookies.sqlite-wal, SQLite 35->103 dropped 48 firefox.exe 35->48         started        50 firefox.exe 35->50         started        145 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->145 147 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->147 151 24 other IPs or domains 37->151 105 C:\Users\user\AppData\Local\...\Cookies, SQLite 37->105 dropped 52 chrome.exe 39->52         started        54 firefox.exe 39->54         started        56 chrome.exe 39->56         started        58 5 other processes 39->58 file9 signatures10 process11 signatures12 60 RoamingGDGDHJJDGH.exe 41->60         started        63 conhost.exe 41->63         started        65 chrome.exe 43->65         started        68 msedge.exe 16 43->68         started        78 2 other processes 43->78 213 Detected unpacking (changes PE section rights) 45->213 215 Tries to evade debugger and weak emulator (self modifying code) 45->215 217 Hides threads from debuggers 45->217 221 2 other signatures 45->221 219 Found many strings related to Crypto-Wallets (likely being stolen) 48->219 70 chrome.exe 52->70         started        72 firefox.exe 54->72         started        74 chrome.exe 56->74         started        76 firefox.exe 58->76         started        process13 dnsIp14 205 Multi AV Scanner detection for dropped file 60->205 207 Detected unpacking (changes PE section rights) 60->207 209 Tries to detect sandboxes and other dynamic analysis tools (window names) 60->209 211 4 other signatures 60->211 135 192.168.2.4 unknown unknown 65->135 137 239.255.255.250 unknown Reserved 65->137 80 chrome.exe 65->80         started        83 chrome.exe 65->83         started        85 chrome.exe 65->85         started        89 2 other processes 65->89 87 msedge.exe 68->87         started        signatures15 process16 dnsIp17 121 142.250.185.67 GOOGLEUS United States 80->121 123 142.250.186.35 GOOGLEUS United States 80->123 131 6 other IPs or domains 80->131 133 2 other IPs or domains 83->133 125 142.250.185.238 GOOGLEUS United States 85->125 127 142.250.186.42 GOOGLEUS United States 85->127 129 142.250.186.99 GOOGLEUS United States 85->129
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 23:06:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcdmp4xldhtirsflgobojsz45m45mot5zc4sb57a2kngfdgjws6q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:exelastealer family:monster family:redline botnet:0657d1 botnet:25072023 botnet:fed3aa botnet:logs collection credential_access defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/240729-23dxqavfmk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Collects information from the system
Enumerates system info in registry
Gathers network information
Gathers system information
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Detects Pyinstaller
Embeds OpenSSL
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
System Network Connections Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Service Discovery
Power Settings
Checks BIOS information in registry
Checks computer location settings
Clipboard Data
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Credentials from Password Stores: Credentials from Web Browsers
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detects Monster Stealer.
Exela Stealer
Monster
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.19
http://185.215.113.16
185.215.113.67:40960
185.215.113.9:9137
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66260299-d351-447a-bdc5-1f6fcd214b4a
Unpacked files
SH256 hash:
cfa9c5fcad99efc42820468da6c9ccfc09488ac700748bcfef0ffebd44cf19c1
MD5 hash:
d4f08e3b8d778c60ea70df03c372cb75
SHA1 hash:
5833f672f9b6316766ce9a087648b947336bd36a
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/da481eb0-2a27-4a27-9685-46d8e6ce98d4/
SH256 hash:
7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd
MD5 hash:
62784b54dca4829a61e16d31b8e30f87
SHA1 hash:
2323b4b01ea18b4478ecb41309e24d64ad52746d
Link:
https://www.unpac.me/results/da481eb0-2a27-4a27-9685-46d8e6ce98d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7886c7f2eb19e688c8ab3382e4cb3ceb39d63a7dc8b920f7e0d29a628cc9b4bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments