MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2
SHA3-384 hash: 6a4938074a63718d8cc14cbfbf77ea0532f046875680313cb5530c605369b32623d322c8300e06e7d3afc671bfc51f6f
SHA1 hash: 8d903daf29dca4b3adfb77e2cee357904e404987
MD5 hash: 002423f02fdc16eb81ea32ee8fa26539
humanhash: wisconsin-fourteen-india-summer
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:2'782'987 bytes
First seen:2024-11-01 13:03:41 UTC
Last seen:2025-03-05 08:23:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 58e8b63410c37775a2b266150763214e (1 x Amadey)
ssdeep 49152:uYdY2I+/RJAnns4vBnZdTP21/ikw8o8oqLi04JTFPJRyO1l5IbkW0UTvEtUNWs:uYdY2IjJBnZdKls8NWf5IQQEtUIs
Threatray 5 similar samples on MalwareBazaar
TLSH T195D58D0478B59C6AD5A6213145BFD338BF760E088227F9E309B7AD71DE67243BA4C706
TrID 26.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
19.7% (.EXE) InstallShield setup (43053/19/16)
16.0% (.GAU) MS Flight Simulator Gauge (35073/8/10)
14.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
Magika pebin
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter Bitsight
Tags:185-215-113-209 Amadey exe


Avatar
Bitsight
url: http://31.41.244.11/files/giganticurtain.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.208.159.121/8djjd3Shf2/index.php https://threatfox.abuse.ch/ioc/1340435/

Intelligence

File Origin
# of uploads :
26
# of downloads :
441
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-01 13:04:26 UTC
Tags:
amadey botnet stealer rdp loader
Link:
https://app.any.run/tasks/e3578a97-416c-457b-9b58-a33f3783543d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6724d1c549e92a05dde23e2f
Tags:
powershell emotet cobalt lien
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Connection attempt
Sending an HTTP POST request
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm crypto overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6724d1c2e9959538ff3c1acf/reports/bad7cc33-32ef-4784-833f-b99ad56e1b8c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e2349fa-8df0-4752-90fe-f84e2f9fa916
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1546713
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Found malware configuration
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected Amadey
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psajife2ulhhee6eeprfo54f73xorn6ka7miutkl6oag2hisf2ra._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
4b7b5bc7b0d1f70adf6b80390f1273723c409b837c9575ee1cd4b963cf9e5c7d
Amadey
575a60ffb764409c924db6e0f5e8ceeafa894f597b0856720af05b53ad55569c
Amadey
7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2
Amadey
error
Amadey
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:608ae0 discovery trojan
Link:
https://tria.ge/reports/241101-qjnf9ssnck/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Amadey
Amadey family
Malware Config
C2 Extraction:
http://185.208.159.121
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3122fe9c-af50-48bf-a3c5-20869bb3a04a
Unpacked files
SH256 hash:
7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2
MD5 hash:
002423f02fdc16eb81ea32ee8fa26539
SHA1 hash:
8d903daf29dca4b3adfb77e2cee357904e404987
Link:
https://www.unpac.me/results/e9e77a1e-095f-46e4-974c-38ffbc1beaaa/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c8094149aa2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Zoom_Invite_malware_RAT_C2
Create hunting rule
Author:daniyyell
Description:Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 7c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3269418/
  
URLhaus
https://urlhaus.abuse.ch/url/3269954/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSidToSidW
advapi32.dll::CopySid
advapi32.dll::GetLengthSid
advapi32.dll::IsValidSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::FindFirstVolumeW
kernel32.dll::FindNextVolumeW
ntdll.dll::NtQueryInformationProcess
ntdll.dll::NtQuerySystemInformation
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::ReadConsoleW
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileExW
kernel32.dll::CreateDirectoryW
kernel32.dll::CreateHardLinkW
kernel32.dll::CreateFileMappingA
kernel32.dll::CreateFileW
ntdll.dll::NtCreateFile
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupAccountSidW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_SOCK_APIUses Network to send and receive dataws2_32.dll::accept
ws2_32.dll::bind
ws2_32.dll::closesocket
ws2_32.dll::connect
ws2_32.dll::freeaddrinfo
ws2_32.dll::getaddrinfo

Comments