MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA3-384 hash: 93759d53859cdd539b36c5d002bda7ea89b3bc94935e22cc66f51ec05889ced9e130b5582edca5298d7ca3591c2931a8
SHA1 hash: 19cab1291e4e518ae636f2fb3d41567e4e6e4722
MD5 hash: f01f5bc76b9596e0cfeab8a272cba3a5
humanhash: nitrogen-equal-lake-sink
File name:cred64.dll
Download: download sample
Signature Amadey
Create hunting rule
File size:1'174'528 bytes
First seen:2023-11-14 19:23:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1660912b726baa5dac8bf47e5fa01c9 (2 x Amadey)
ssdeep 24576:Pc6CX/YqLAS81Un+J35XBMpZ9+Jo73Jw/tDMX/td:rqLAS81UnI5XQZ92ogO
Threatray 59 similar samples on MalwareBazaar
TLSH T1EC457D1BA36501BCD4BB9178DA234A46E775700603709BEB57E05AAA2F13FF15EBE310
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Xev
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9fd0508d.exe
Verdict:
Malicious activity
Analysis date:
2023-11-14 19:08:03 UTC
Tags:
amadey botnet stealer loader
Link:
https://app.any.run/tasks/68f30022-c950-4215-bb00-eaf104e17f94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458604/
Detection(s):
Win.Malware.Zusy-9985435-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control crypto evasive fingerprint greyware hacktool lolbin masquerade netsh redcap redcap shell32 stealer zusy zusy
Link:
https://www.filescan.io/uploads/6553c956a71b82df0a7c6665/reports/390dee84-b591-4827-9f19-886edf5689a2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64fb0ff9-898f-4785-8399-3d9b5f8eb338
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
spyw
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1342612
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1342612 Sample: cred64.dll.exe Startdate: 14/11/2023 Architecture: WINDOWS Score: 76 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Amadeys stealer DLL 2->37 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 3 other processes 8->17 signatures5 39 Tries to harvest and steal browser information (history, passwords, etc) 10->39 19 WerFault.exe 16 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 16 15->23         started        25 WerFault.exe 20 18 17->25         started        27 WerFault.exe 16 17->27         started        process6 process7 29 WerFault.exe 16 21->29         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-11-07 00:51:00 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qpxw2jauuxamts3m7zicznam3ws4ijpooqekib26gker6rmz3e4a._file
Verdict:
unknown
Similar samples:
2d93ffc4f232bcc5f7c2a19d8fcbaa50884e60a027804fcecc3c40d120eedc8c
Amadey
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274
Amadey
478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
Amadey
75521cc92675383e1f9b8996fd925345e562da8b2a2aedb9cebacb9cc0ee0a80
Amadey
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
Amadey
88d82f209133f753957f901cead443ad4e6a0daa148c098dacb565a64be2e80d
Amadey
8e811ce651e84105b197539e75d3f7ee69b58f68cbe2f15521669aadf7d23cf3
Amadey
c28beecf5755aefbd585bd5e88e910c7ffb78780b48d2b01d116583c684741c8
Amadey
dfcf830d9f445d17b12870cb37e682f6d1ddd3b9693f42aed2b6e167363dc412
Amadey
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/231114-x4cc3agh5v/
Behaviour
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
MD5 hash:
f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 hash:
19cab1291e4e518ae636f2fb3d41567e4e6e4722
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/ce659c37-b870-4e81-bcbd-464fcf452991/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/458604/

Comments