MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79b3659ae5791dba0cc638c8034fc65c8e221fd8c5e7a7b4ca15cd12e08f94e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79b3659ae5791dba0cc638c8034fc65c8e221fd8c5e7a7b4ca15cd12e08f94e9
SHA3-384 hash: 525add4d3ae4ed45471e1a1a4a17b249efdf84deee963c7bbb52e539b9a8cf2e022ee862af67d2c2a38aa7f56afd5a5e
SHA1 hash: 48b223337b1cf7c8ef7e0fd046eb7d9f572231e3
MD5 hash: c3b67ad5132e8a9fb87c464d57dd4fc2
humanhash: autumn-vermont-harry-batman
File name:c3b67ad5132e8a9fb87c464d57dd4fc2.dll
Download: download sample
Signature Amadey
Create hunting rule
File size:1'251'264 bytes
First seen:2023-01-06 17:35:27 UTC
Last seen:2023-01-06 19:32:05 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep 24576:yIC/KST7VquI4B3MfdZfmM8c/PpV5bVpX+OIF:jg7EuI4tMfdt1/PD5brNIF
Threatray 96 similar samples on MalwareBazaar
TLSH T1C54523131EFF21C7F15075382A237491C8E4F5674D0407A7F2A53600AB9BA57EBA86BB
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey dll signed

Code Signing Certificate

Organisation:www.labourer.com
Issuer:www.labourer.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-03T10:59:06Z
Valid to:2024-01-03T11:19:06Z
Serial number: 22f954be8188a68942f1b4b3027717b0
Thumbprint Algorithm:SHA256
Thumbprint: f4b3da41189c33b71b403162abafeb79ba2fb67917377a4e594bd7b18b6be63e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Amadey C2:
http://193.42.33.74/8bdSvcD/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350209/
Detection(s):
SecuriteInfo.com.Variant.Tedy.269269.5870.22465.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63b85c04bf1064ac5b2ddf90/reports/e3ecc4ac-c511-4b59-859a-76bcfcd92a93/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/47c4338f-d57b-4d35-8350-984a65cc2d25
Result
Threat name:
Amadey, Raccoon Stealer v2, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146597
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 779325 Sample: oOb5C7arAh.dll Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 79 pastebin.com 2->79 81 eth0.me 2->81 93 Snort IDS alert for network traffic 2->93 95 Multi AV Scanner detection for domain / URL 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 12 other signatures 2->99 11 loaddll32.exe 1 2->11         started        13 kernel32.exe 2->13         started        16 kernel32.exe 2->16         started        18 dcupdate.exe 2->18         started        signatures3 process4 signatures5 20 rundll32.exe 67 11->20         started        25 rundll32.exe 49 11->25         started        27 cmd.exe 1 11->27         started        29 conhost.exe 11->29         started        129 Writes to foreign memory regions 13->129 131 Allocates memory in foreign processes 13->131 133 Injects a PE file into a foreign processes 13->133 31 InstallUtil.exe 13->31         started        33 InstallUtil.exe 16->33         started        process6 dnsIp7 83 85.192.63.121, 49705, 80 LINEGROUP-ASRU Russian Federation 20->83 85 85.192.63.204, 49693, 49694, 49695 LINEGROUP-ASRU Russian Federation 20->85 71 C:\Users\user\AppData\Local\...\Lb62ExB0.exe, PE32 20->71 dropped 73 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->73 dropped 75 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 20->75 dropped 77 5 other files (4 malicious) 20->77 dropped 105 System process connects to network (likely due to code injection or exploit) 20->105 107 Tries to harvest and steal browser information (history, passwords, etc) 20->107 109 Tries to steal Crypto Currency Wallets 20->109 35 Lb62ExB0.exe 3 20->35         started        39 BKb2A8Xq.exe 20->39         started        111 Uses ping.exe to check the status of other devices and networks 27->111 41 rundll32.exe 13 27->41         started        file8 signatures9 process10 file11 65 C:\Users\user\AppData\Local\...\dcupdate.exe, PE32 35->65 dropped 101 Multi AV Scanner detection for dropped file 35->101 103 Machine Learning detection for dropped file 35->103 43 dcupdate.exe 35->43         started        67 C:\Users\user\Baskov\kernel32.exe, PE32 39->67 dropped 47 kernel32.exe 39->47         started        49 cmd.exe 39->49         started        69 C:\Users\user\AppData\LocalLow\msvcp140.dll, PE32 41->69 dropped signatures12 process13 dnsIp14 91 193.42.33.74, 49706, 49707, 80 EENET-ASEE Germany 43->91 115 Multi AV Scanner detection for dropped file 43->115 117 Creates an undocumented autostart registry key 43->117 119 Machine Learning detection for dropped file 43->119 121 Uses schtasks.exe or at.exe to add and modify task schedules 43->121 51 schtasks.exe 43->51         started        123 Writes to foreign memory regions 47->123 125 Allocates memory in foreign processes 47->125 127 Injects a PE file into a foreign processes 47->127 53 InstallUtil.exe 47->53         started        57 PING.EXE 49->57         started        59 conhost.exe 49->59         started        61 chcp.com 49->61         started        signatures15 process16 dnsIp17 63 conhost.exe 51->63         started        87 5.75.149.1 HETZNER-ASDE Germany 53->87 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->113 89 127.0.0.1 unknown unknown 57->89 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79b3659ae5791dba0cc638c8034fc65c8e221fd8c5e7a7b4ca15cd12e08f94e9/
Threat name:
Win32.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2023-01-04 03:05:34 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
16 of 41 (39.02%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgzwlgxfpeo3udgghdeagt6glshceh6yyxt2pngkcxgrfyepstuq._file
Verdict:
malicious
Similar samples:
32c815f5cc0e131f8b3b1066c250b4fa4125c890d18e9fce925b54c91141b725
Amadey
59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697
Amadey
603529b388e236d8e83f550e3bea45ecb9664c7e8a6137bb1ee7981f13ee72fa
Amadey
6b102d3201a020b3661abae52a8f7fe5c64606d6867fec17a7ebdde69d038e7e
Amadey
7c248c54bac1db4abfb0e0151b4e89bd105a7c1202593477bbc9f795de78010f
Amadey
d57f75cf079c4ec8c81e51751b3332ef5ce7dc8eba41b9a5b17dbb4277c20e5c
Amadey
f7a2f0f70e6e5b3272e7cabdf6b03184ff086e88a3fc71e5c7359f60d5e49df0
Amadey
+ 86 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230106-v6kfcahc88/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
79b3659ae5791dba0cc638c8034fc65c8e221fd8c5e7a7b4ca15cd12e08f94e9
MD5 hash:
c3b67ad5132e8a9fb87c464d57dd4fc2
SHA1 hash:
48b223337b1cf7c8ef7e0fd046eb7d9f572231e3
Link:
https://www.unpac.me/results/c10e74d6-9ef2-4723-86f7-b76364bc7bff/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79b3659ae579/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/79b3659ae5791dba0cc638c8034fc65c8e221fd8c5e7a7b4ca15cd12e08f94e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/350209/

Comments