MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178
SHA3-384 hash: 55215f12689a762fc58858c98cc0db6791f924ab00fc0a11e3c309658fefcfd100906ec9b29abd5804f7c432ac2d228d
SHA1 hash: a57e92a45d1adca2b7ed38111ef9aa9e6fe809c8
MD5 hash: 5a87d548598caaaa5098b42864d2ab61
humanhash: solar-floor-april-quebec
File name:5a87d548598caaaa5098b42864d2ab61.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'471'864 bytes
First seen:2023-09-11 02:01:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 24576:bzKCJvBrC150HwpHgE2gfpuaD2hU+jfu2BEdNcnjurXmqz0iO1u1Hg:nKCJJ+vHHX268acbfuHdNaQXmqJH1Hg
Threatray 264 similar samples on MalwareBazaar
TLSH T11F65122479E5C4B3D83211326EE1C379DD3EB930175A48EF63A44BAF1E75241AB3126B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a87d548598caaaa5098b42864d2ab61.exe
Verdict:
No threats detected
Analysis date:
2023-09-11 02:03:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c18c7764-b0ae-42ac-a542-b2c5a66d2dfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447792/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.3590.22783.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8edf4509-f5d3-404b-8846-88817bd8ef43
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306978
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1306978 Sample: 1jdT4Tk1YG.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 116 api.ip.sb 2->116 150 Snort IDS alert for network traffic 2->150 152 Found malware configuration 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 14 other signatures 2->156 13 1jdT4Tk1YG.exe 1 2->13         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 signatures5 184 Contains functionality to inject code into remote processes 13->184 186 Writes to foreign memory regions 13->186 188 Allocates memory in foreign processes 13->188 190 Injects a PE file into a foreign processes 13->190 20 AppLaunch.exe 1 4 13->20         started        23 WerFault.exe 23 9 13->23         started        26 conhost.exe 13->26         started        process6 dnsIp7 94 C:\Users\user\AppData\Local\...\z7384147.exe, PE32 20->94 dropped 96 C:\Users\user\AppData\Local\...\w5702523.exe, PE32 20->96 dropped 28 z7384147.exe 1 4 20->28         started        120 192.168.2.1 unknown unknown 23->120 file8 process9 file10 104 C:\Users\user\AppData\Local\...\z5279046.exe, PE32 28->104 dropped 106 C:\Users\user\AppData\Local\...\u3033992.exe, PE32 28->106 dropped 192 Antivirus detection for dropped file 28->192 194 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->194 196 Machine Learning detection for dropped file 28->196 198 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->198 32 z5279046.exe 1 4 28->32         started        36 u3033992.exe 28->36         started        signatures11 process12 file13 90 C:\Users\user\AppData\Local\...\z8044826.exe, PE32 32->90 dropped 92 C:\Users\user\AppData\Local\...\t0822988.exe, PE32 32->92 dropped 124 Antivirus detection for dropped file 32->124 126 Machine Learning detection for dropped file 32->126 38 z8044826.exe 1 4 32->38         started        41 t0822988.exe 32->41         started        128 Multi AV Scanner detection for dropped file 36->128 130 Writes to foreign memory regions 36->130 132 Allocates memory in foreign processes 36->132 134 Injects a PE file into a foreign processes 36->134 44 conhost.exe 36->44         started        signatures14 process15 file16 98 C:\Users\user\AppData\Local\...\z7313873.exe, PE32 38->98 dropped 100 C:\Users\user\AppData\Local\...\s3217687.exe, PE32 38->100 dropped 46 z7313873.exe 1 4 38->46         started        49 s3217687.exe 38->49         started        102 C:\Users\user\AppData\Local\...\explonde.exe, PE32 41->102 dropped 178 Antivirus detection for dropped file 41->178 180 Multi AV Scanner detection for dropped file 41->180 182 Machine Learning detection for dropped file 41->182 52 explonde.exe 41->52         started        signatures17 process18 dnsIp19 108 C:\Users\user\AppData\Local\...\r0761317.exe, PE32 46->108 dropped 110 C:\Users\user\AppData\Local\...\q7440983.exe, PE32 46->110 dropped 55 q7440983.exe 1 46->55         started        58 r0761317.exe 1 46->58         started        136 Writes to foreign memory regions 49->136 138 Allocates memory in foreign processes 49->138 140 Injects a PE file into a foreign processes 49->140 60 AppLaunch.exe 49->60         started        62 conhost.exe 49->62         started        64 WerFault.exe 49->64         started        118 77.91.68.52, 49720, 49721, 49722 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 52->118 112 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 52->112 dropped 114 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 52->114 dropped 142 Antivirus detection for dropped file 52->142 144 Multi AV Scanner detection for dropped file 52->144 146 Creates an undocumented autostart registry key 52->146 148 2 other signatures 52->148 66 cmd.exe 52->66         started        68 schtasks.exe 52->68         started        file20 signatures21 process22 signatures23 162 Multi AV Scanner detection for dropped file 55->162 164 Writes to foreign memory regions 55->164 166 Allocates memory in foreign processes 55->166 70 AppLaunch.exe 9 1 55->70         started        73 WerFault.exe 19 9 55->73         started        75 conhost.exe 55->75         started        86 3 other processes 55->86 168 Injects a PE file into a foreign processes 58->168 77 AppLaunch.exe 13 58->77         started        80 conhost.exe 58->80         started        82 WerFault.exe 58->82         started        170 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 60->170 172 Maps a DLL or memory area into another process 60->172 174 Checks if the current machine is a virtual machine (disk enumeration) 60->174 176 Creates a thread in another existing process (thread injection) 60->176 88 7 other processes 66->88 84 conhost.exe 68->84         started        process24 dnsIp25 158 Disable Windows Defender notifications (registry) 70->158 160 Disable Windows Defender real time protection (registry) 70->160 122 5.42.92.211, 49713, 49791, 49806 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 77->122 signatures26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 00:48:44 UTC
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5mkpl4c2i7y4pmw2wouoxyxuuzpgqufbjh7dnnaalcterhngf4a._file
Verdict:
malicious
Similar samples:
049c9ab9a3a3531d13e86ee7e687a45538955b48f62e2149e30d1206ec8c3df4
Amadey
17e6d489c82aafd9cb685806bf44acd6e2fc2c0fe5a249b16196ddecce66e348
Amadey
2f27f32ea2ee1aa1b5085855ff553dec50e29cb5bec11d950766605f8d2150d4
Amadey
374009053f8b456f596abbcc512fd5ae7834e24397a3fc725213d2d6e401952a
Amadey
75ff95a6deb24eabfb5851714523f832ead06e9d19c2d2c5ae808463403f169d
Amadey
adae27992594d21e3d9b08969d6159068b82c8c1cda9c9cc9a2390dbec26a9da
Amadey
b6dbab0251f7dc75749babd8a98c8072df0ae4bd9767198cf2381d667e2222f6
Amadey
cca65a9ffc4cc09af8e29a65071ff6b5c2b10086caa8ca201322fab28d46a48d
Amadey
edcade63346f48f03b9420c18c0b9c2246b72ea5ea29baf58abbb7fe8b8ce358
Amadey
ee74da6cbb63a8e1f33c490358537559fa15855ebaec6866888af4b2bf46cc9b
Amadey
+ 254 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230911-cflavadb64/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178
MD5 hash:
5a87d548598caaaa5098b42864d2ab61
SHA1 hash:
a57e92a45d1adca2b7ed38111ef9aa9e6fe809c8
Link:
https://www.unpac.me/results/577f1f5c-dbf3-486f-8a2e-689c3b983daa/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f58a7af82d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447792/

Comments