MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
SHA3-384 hash: d83052690dc37925539b768a04a7d8a649c96f49bede6893a6ec7aadd85d02818d0ff73e71c4b4eae7f231f541d67db8
SHA1 hash: b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
MD5 hash: eede39c7c0198e86a3b75d2b8af77201
humanhash: spaghetti-quebec-undress-seventeen
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'685'888 bytes
First seen:2023-08-31 13:56:58 UTC
Last seen:2023-11-23 14:30:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d339886668b2a33d7f455fb43d1fd5c1 (1 x Amadey)
ssdeep 49152:WAzCMQRS6jNdVRZLYZZtuafWNoG1wCUAKhj8VnF1Ij86+wI6BN8qKpmPsTuwV8:FOI8qZUV
Threatray 4 similar samples on MalwareBazaar
TLSH T1BD06A40E977695E8C5B9D03CC51A6227F9223C4DC234B7639BC65B42AFE17A0B63D381
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 719d8d7173f17317 (3 x PrivateLoader, 2 x RedLineStealer, 2 x Amadey)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc44017378_668679037?hash=6lxdrm9NUkSryZCfzYZn4zR2sOTXzaKgfQIcVCaPnvX&dl=FLqYTpktPSSWsXhtSyyzRawRyuZZexn7WIKXiXEZBv4&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
2'012
# of downloads :
310
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-08-31 13:57:25 UTC
Tags:
privateloader evasion trojan amadey botnet loader smoke miner
Link:
https://app.any.run/tasks/46ff2224-4727-45ff-85b7-df0423cb5187

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445481/
Detection(s):
SecuriteInfo.com.Win64.BotX-gen.13782.8803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying a system file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Searching for the window
Launching cmd.exe command interpreter
Searching for analyzing tools
Running batch commands
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware
Link:
https://www.filescan.io/uploads/64f09c2f9ff753467d7fe188/reports/5587edd0-9018-48e1-8cff-fce9ad479d04/overview
Verdict:
Suspicious
Labled as:
Win64/TrojanDownloader.Agent.VW
Link:
https://www.hybrid-analysis.com/sample/7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/347a5c12-2f33-433c-8be2-2ace4f99cdc3
Result
Threat name:
000Stealer, Amadey, Glupteba, PrivateLoa
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301082
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files with benign system names
Found C&C like URL pattern
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected 000Stealer
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected PrivateLoader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1301082 Sample: file.exe Startdate: 31/08/2023 Architecture: WINDOWS Score: 100 143 Snort IDS alert for network traffic 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 25 other signatures 2->149 12 file.exe 10 27 2->12         started        17 powershell.exe 19 2->17         started        19 svchost.exe 2->19         started        21 oneetx.exe 2->21         started        process3 dnsIp4 137 45.15.156.229, 49720, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 12->137 139 45.9.74.80, 49729, 49730, 49740 FIRST-SERVER-EU-ASRU Russian Federation 12->139 141 7 other IPs or domains 12->141 117 C:\Users\...\XEnqSE7jwF_pZyIf2zG_t2QG.exe, PE32 12->117 dropped 119 C:\Users\...\UoL5NWbbGwQBf76qXx3oYYeB.exe, PE32+ 12->119 dropped 121 C:\Users\...\UOeXcSMGsFvW8JIteKDIEg0V.exe, PE32 12->121 dropped 123 2 other malicious files 12->123 dropped 203 May check the online IP address of the machine 12->203 205 Creates HTML files with .exe extension (expired dropper behavior) 12->205 207 Disables Windows Defender (deletes autostart) 12->207 209 2 other signatures 12->209 23 XEnqSE7jwF_pZyIf2zG_t2QG.exe 3 12->23         started        26 UOeXcSMGsFvW8JIteKDIEg0V.exe 1 12->26         started        30 UoL5NWbbGwQBf76qXx3oYYeB.exe 1 12->30         started        32 conhost.exe 17->32         started        file5 signatures6 process7 dnsIp8 97 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 23->97 dropped 99 C:\Users\user\AppData\Local\...\a5718b57.exe, PE32 23->99 dropped 34 newplayer.exe 3 23->34         started        38 a5718b57.exe 23->38         started        135 185.149.146.217 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 26->135 187 Query firmware table information (likely to detect VMs) 26->187 189 Found many strings related to Crypto-Wallets (likely being stolen) 26->189 191 Tries to harvest and steal ftp login credentials 26->191 199 4 other signatures 26->199 101 C:\Users\user\AppData\...\bqnbpfosjipw.tmp, PE32+ 30->101 dropped 103 C:\Windows\System32\drivers\etc\hosts, ASCII 30->103 dropped 193 Suspicious powershell command line found 30->193 195 Writes to foreign memory regions 30->195 197 Modifies the context of a thread in another process (thread injection) 30->197 201 3 other signatures 30->201 file9 signatures10 process11 file12 93 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 34->93 dropped 157 Antivirus detection for dropped file 34->157 159 Multi AV Scanner detection for dropped file 34->159 161 Machine Learning detection for dropped file 34->161 40 oneetx.exe 34->40         started        163 Detected unpacking (changes PE section rights) 38->163 165 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->165 167 Maps a DLL or memory area into another process 38->167 169 2 other signatures 38->169 45 explorer.exe 38->45 injected signatures13 process14 dnsIp15 125 79.137.192.18, 49743, 80 PSKSET-ASRU Russian Federation 40->125 127 192.168.2.1 unknown unknown 40->127 105 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 40->105 dropped 107 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 40->107 dropped 109 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 40->109 dropped 115 3 other malicious files 40->115 dropped 171 Antivirus detection for dropped file 40->171 173 Multi AV Scanner detection for dropped file 40->173 175 Creates an undocumented autostart registry key 40->175 183 2 other signatures 40->183 47 31839b57a4f11171d6abc8bbc4451ee4.exe 40->47         started        50 toolspub2.exe 40->50         started        52 latestX.exe 40->52         started        61 2 other processes 40->61 129 shsplatform.co.uk 80.66.203.53 UKFASTGB United Kingdom 45->129 131 190.139.250.133 TelecomArgentinaSAAR Argentina 45->131 133 3 other IPs or domains 45->133 111 C:\Users\user\AppData\Roaming\cjgcdcg, PE32 45->111 dropped 113 C:\Users\user\AppData\Local\Temp\7CDF.exe, PE32 45->113 dropped 177 System process connects to network (likely due to code injection or exploit) 45->177 179 Benign windows process drops PE files 45->179 181 Suspicious powershell command line found 45->181 185 2 other signatures 45->185 55 dialer.exe 45->55         started        57 cmd.exe 45->57         started        59 cmd.exe 45->59         started        63 3 other processes 45->63 file16 signatures17 process18 file19 211 Multi AV Scanner detection for dropped file 47->211 213 Detected unpacking (changes PE section rights) 47->213 215 Detected unpacking (overwrites its own PE header) 47->215 217 Drops PE files with benign system names 47->217 65 31839b57a4f11171d6abc8bbc4451ee4.exe 47->65         started        69 powershell.exe 47->69         started        219 Machine Learning detection for dropped file 50->219 221 Injects a PE file into a foreign processes 50->221 71 toolspub2.exe 50->71         started        95 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 52->95 dropped 223 Adds a directory exclusion to Windows Defender 52->223 225 Injects code into the Windows Explorer (explorer.exe) 55->225 227 Writes to foreign memory regions 55->227 229 Allocates memory in foreign processes 55->229 231 Creates a thread in another existing process (thread injection) 55->231 73 lsass.exe 55->73 injected 75 4 other processes 55->75 233 Uses powercfg.exe to modify the power settings 57->233 235 Modifies power options to not sleep / hibernate 57->235 77 6 other processes 57->77 79 5 other processes 59->79 81 8 other processes 61->81 83 5 other processes 63->83 signatures20 process21 file22 91 C:\Windows\rss\csrss.exe, PE32 65->91 dropped 151 Creates an autostart registry key pointing to binary in C:\Windows 65->151 85 powershell.exe 65->85         started        87 conhost.exe 69->87         started        153 Injects code into the Windows Explorer (explorer.exe) 73->153 155 Writes to foreign memory regions 73->155 signatures23 process24 process25 89 conhost.exe 85->89         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-31 13:57:07 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvq3f6vkjssmni5m5cnlrjiuyhmsqsjpjzavkkydq3gpoudnm4tq._file
Verdict:
malicious
Similar samples:
2b29df675101b38c104b5736bd98a649743e6f2e784cf32bc0cf035de9adae33
Amadey
7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6
Amadey
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:privateloader family:smokeloader botnet:pub5 botnet:up3 backdoor dropper evasion loader spyware stealer themida trojan
Link:
https://tria.ge/reports/230831-q89e2afd55/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Stops running service(s)
Amadey
Glupteba
Glupteba payload
SmokeLoader
Malware Config
C2 Extraction:
45.9.74.80/0bjdn2Z/index.php
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
MD5 hash:
eede39c7c0198e86a3b75d2b8af77201
SHA1 hash:
b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
Detections:
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/e94dfebb-f897-48b2-94e4-b886b80accc2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d61b2faaa4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Privateloader_Main_Component
Create hunting rule
Description:Detects PrivateLoader Main Component
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:win_privateloader
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/445481/

Comments