MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419
SHA3-384 hash: dedd9e59d5ce6f061480d06d486c4657b583e921afa42b3f1f6a54d303662266eb65b5cf1ff4a86d2200978a33890c19
SHA1 hash: d99588fa054e7843a0e6e839ffebb8348bbf40fc
MD5 hash: 31bd44f5008d5c15546bdf7587b59494
humanhash: arkansas-mockingbird-lion-skylark
File name:31bd44f5008d5c15546bdf7587b59494.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:706'048 bytes
First seen:2023-03-06 11:45:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:1Mrry90mjdrOe8MQtClRd5bkPKnQHR7k7dBTdaJmPnVUo1r:6yRV8MQtCCx7k7/TdaJPUr
Threatray 4'197 similar samples on MalwareBazaar
TLSH T179E41217A6EC8531E5F8577048F603D30636BDB14A3847A6274B6D1A1CB3B70A6317BB
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
193.233.20.27:4123

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
31bd44f5008d5c15546bdf7587b59494.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 11:47:54 UTC
Tags:
rat redline trojan amadey loader
Link:
https://app.any.run/tasks/9c328bee-ad1a-4f0d-b879-89e3c804b06b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371948/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll CAB installer packed rundll32.exe setupapi.dll shell32.dll stealer
Link:
https://www.filescan.io/uploads/6405d27c0e8ce4beca25d4c6/reports/43d2532a-d3e8-489d-a2ab-b7174bb22de7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8478d64-2a31-4358-bd45-1d7b21ed1fdb
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188162
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821042 Sample: EGMKFglrBY.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 8 other signatures 2->48 8 EGMKFglrBY.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 38 C:\Users\user\AppData\...\zkJZ8759BY.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\...\rdta53Ia14.exe, PE32 8->40 dropped 17 zkJZ8759BY.exe 1 4 8->17         started        process5 file6 30 C:\Users\user\AppData\...\zkje5643Ww.exe, PE32 17->30 dropped 32 C:\Users\user\AppData\...\nm06wT61aD69.exe, PE32 17->32 dropped 50 Multi AV Scanner detection for dropped file 17->50 52 Machine Learning detection for dropped file 17->52 21 zkje5643Ww.exe 1 4 17->21         started        signatures7 process8 file9 34 C:\Users\user\AppData\...\ljaF82Xv84.exe, PE32 21->34 dropped 36 C:\Users\user\AppData\...\knoI32zx29.exe, PE32 21->36 dropped 54 Multi AV Scanner detection for dropped file 21->54 56 Machine Learning detection for dropped file 21->56 25 knoI32zx29.exe 9 1 21->25         started        28 ljaF82Xv84.exe 1 1 21->28         started        signatures10 process11 signatures12 58 Multi AV Scanner detection for dropped file 25->58 60 Detected unpacking (changes PE section rights) 25->60 62 Detected unpacking (overwrites its own PE header) 25->62 66 2 other signatures 25->66 64 Machine Learning detection for dropped file 28->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 12:06:00 UTC
File Type:
PE (Exe)
Extracted files:
133
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qih6hldmix6b5vkh3zia7fexqc2ocu26kquuig5fb72cvw6iwqmq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
279f9ca8b7a1ee460ee5bc0ad626a7f2a3526404deff5c226d614582a044ed14
Amadey
2b7ff587719fa74db76fe0b9d43280aaa64f4e02ea3c5673da9b565d99ce142b
Amadey
34532f862c001878203a4c5f8f2b7efa5c47084ebaf7ca26d906099d753e2471
Amadey
45a5092cb0501c73b73ab59a131337b170fd5d4978e32656aec68a5f2ba0f0f2
Amadey
59d932837802c1b81d5194008c7fdd6cef59c78a83aef291ca4af4e5e6a16f9e
Amadey
8d16985aac3e40f8038e69aa35b81acd1accd4772c8fd6b03a2b9f96f867bcac
Amadey
9b1f4025ad6964df06bcc3496c274985c44c71d4dbdc5e15f51e9c92a2493c02
Amadey
f4689213483ad9b6641ab51755d456500e0a017390b3bb36ad0c7377f7cbeeba
Amadey
f865a58e0fdd45d721a2e7945ef61fb364e5ceff3a99896122afedf25482785f
Amadey
fbb5c00c3c280cd733dd3a470bc22ca33fa961b00c3281f728a09d8172c7db11
Amadey
+ 4'187 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:fabio discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230306-nxaq8abe21/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
193.233.20.26/Do3m4Gor/index.php
193.233.20.27:4123
Unpacked files
SH256 hash:
640950e7dcccd9ff1c076ec929553268a9a878f10bfb1fabffa4e8d0a74a3f54
MD5 hash:
5fe8f2f57fc0b15109f4a4892fd020c9
SHA1 hash:
b6a8efc8e0137f2fa32af26888dcceab2c777965
Link:
https://www.unpac.me/results/00c15e77-7bc7-4c56-a4a8-5257cf5ea8dc/
SH256 hash:
6eaa085ab5a0f1da96fb05504f597b7fcd64fc75dc2fe27c45edfb02f18ddfdc
MD5 hash:
b81f82c6d25ad901bf0c25f3a76a6b8a
SHA1 hash:
91d03cd58e76a61107853193968c2c22da567b3e
Link:
https://www.unpac.me/results/00c15e77-7bc7-4c56-a4a8-5257cf5ea8dc/
SH256 hash:
820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419
MD5 hash:
31bd44f5008d5c15546bdf7587b59494
SHA1 hash:
d99588fa054e7843a0e6e839ffebb8348bbf40fc
Link:
https://www.unpac.me/results/00c15e77-7bc7-4c56-a4a8-5257cf5ea8dc/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/820fe3ac6c45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 820fe3ac6c45fc1ed547de500f949780b4e1535e5429441ba50ff42adbc8b419

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2560109/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/371948/

Comments