MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
SHA3-384 hash: 4a565d0cda34e39a634b79fe725b06d605b70ad19b01b2e73832a7d055e815239e03f56f194529406d80fd4c57bd705b
SHA1 hash: fcc13d52bf28416f3b8a594d58113fd8828a4093
MD5 hash: b413ff6e943c415afc26640ff535c724
humanhash: washington-spring-four-alaska
File name:b413ff6e943c415afc26640ff535c724
Download: download sample
Signature Amadey
Create hunting rule
File size:2'476'494 bytes
First seen:2022-05-29 17:31:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d0dfe559e003c7370c899d20dea7dea8 (9 x RedLineStealer, 1 x Amadey)
ssdeep 24576:dofQL0YjKOTrGRTnFZUDt4KZHD6XyeOjuTfedlb0hv4d7KXl8p+NauQ5V3h357:dofQL0YjKOTrGJ7C5iOjuTWdlxd7Kc
Threatray 121 similar samples on MalwareBazaar
TLSH T11CB51A135A8B0E75DDC23BB4A1CB633E9734EE30CA2A9B7FF609C53559532C5681A702
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
b413ff6e943c415afc26640ff535c724
Verdict:
Malicious activity
Analysis date:
2022-05-29 17:31:46 UTC
Tags:
amadey
Link:
https://app.any.run/tasks/667fda8d-a094-4e42-8caa-e9dad26186ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275271/
Detection(s):
Win.Packed.Crypterx-9940465-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20443/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/6293ae50206e081618446eac/reports/804578b6-c09a-4766-b2eb-93e381e9913c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Deyma
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a751084-db27-441a-b86c-a31d49eac09c
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1003304
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to prevent local Windows debugging
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635800 Sample: hBB2KnTndI Startdate: 29/05/2022 Architecture: WINDOWS Score: 76 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Amadeys stealer DLL 2->28 7 hBB2KnTndI.exe 1 2->7         started        process3 signatures4 30 Contains functionality to inject code into remote processes 7->30 32 Writes to foreign memory regions 7->32 34 Allocates memory in foreign processes 7->34 36 Injects a PE file into a foreign processes 7->36 10 AppLaunch.exe 3 7->10         started        13 WerFault.exe 23 9 7->13         started        15 conhost.exe 7->15         started        process5 file6 20 C:\Users\user\AppData\Local\...\orxds.exe, PE32 10->20 dropped 17 orxds.exe 10->17         started        22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->22 dropped process7 signatures8 24 Contains functionality to prevent local Windows debugging 17->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-05-29 17:32:10 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7yp63sruwbzrllt3i6mrz7gem5chze5sovkjmmqm4xe7hyixg5q._file
Verdict:
malicious
Similar samples:
20579be1049258522233c39acfae3076c8af1c64aadcd2ec2f68e00c683fe229
Amadey
2a122375ad468cf72e87bc27b2fbba8664ccfc7dc6d60a59d7990e8debc5f680
Amadey
2dde8c2841248eedeec0a51cde97d147760c02e2d60d6f4d4f48758c0f3b6ea7
Amadey
4b51bfdfb096e034e057e4cf48abcdb2f8f3301d3493f286053bf66f9b74f175
Amadey
f8458174c4abdd56f7fb6e07a3c16d95d908fa5461ebd5a8425c60480b8c3b57
Amadey
fb63e82f9803b9cab3f7e4bda5a570baff699393565d5f0e4ca13bd2bec8a925
Amadey
+ 111 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/220529-v39wtscgdp/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Amadey
Malware Config
C2 Extraction:
happyday9risce.com/gg4mn3s/index.php
xksldjf9sksdjfks.com/gg4mn3s/index.php
dhisa8f9ah02hopasiaf.com/gg4mn3s/index.php
Unpacked files
SH256 hash:
6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba
MD5 hash:
aa9fa7808dca4fd4cadab28cabbc3266
SHA1 hash:
1a45810526df332dba5003d0627d1c14bf5183ed
Link:
https://www.unpac.me/results/eecde459-de04-4dfc-8ef0-1efa133550ca/
SH256 hash:
7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
MD5 hash:
b413ff6e943c415afc26640ff535c724
SHA1 hash:
fcc13d52bf28416f3b8a594d58113fd8828a4093
Link:
https://www.unpac.me/results/eecde459-de04-4dfc-8ef0-1efa133550ca/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ff0ff6e51a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/275271/
  
URLhaus
https://urlhaus.abuse.ch/url/2216729/

Comments


Avatar
zbet commented on 2022-05-29 17:31:38 UTC

url : hxxp://happyday9risce.com/maxm.exe