MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b
SHA3-384 hash: fba073210ba1e493ecb53a6a2848b5637f01af5d2ca90737914cc3b10cbf9c7df0503231ab468a79e280bf8d0f2aeb06
SHA1 hash: ae394d63053d15e549c0dc174467d2b5ab5ffc98
MD5 hash: 52b22168cedfe571d08aff7d0746fefa
humanhash: cat-mirror-coffee-finch
File name:sample31.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:251'904 bytes
First seen:2023-01-23 21:18:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ff81011ab3449dee85df51db7b508091 (10 x Amadey)
ssdeep 6144:RNN2mv+MgDd73GA1NXZn6zlvKoWFu7u1yiIKQXvR:TrgZDGABWl5W6u1yt
Threatray 9'598 similar samples on MalwareBazaar
TLSH T19B3409217D26C031D660517729A9BFF2C19DA8259BB049DB7B800F3BDA122E67970E3D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter atomiczsec
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
sample31.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 21:20:14 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/d6040dff-9f79-496e-84ce-c538d3014e35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356137/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a window
Creating a file
Sending an HTTP POST request
Delayed reading of the file
Sending an HTTP GET request
Adding an access-denied ACE
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62602/overview
Behaviour
MalwareBazaar
MeasuringTime
GetTempPath
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63cef9cf696b2d9725741cd0/reports/66e9fbb9-8a72-499b-a2de-4aaa63a19d88/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf08e41a-8c2d-42a1-b561-7490a3f6b1c5
Result
Threat name:
Amadey, Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157440
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790174 Sample: sample31.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 124 Antivirus detection for dropped file 2->124 126 10 other signatures 2->126 10 sample31.exe 4 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 file4 104 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 10->104 dropped 106 C:\Users\user\...\nbveek.exe:Zone.Identifier, ASCII 10->106 dropped 164 Contains functionality to inject code into remote processes 10->164 20 nbveek.exe 29 10->20         started        166 Query firmware table information (likely to detect VMs) 14->166 168 Changes security center settings (notifications, updates, antivirus, firewall) 16->168 signatures5 process6 dnsIp7 108 83.217.11.7 ATLEX-ASRU Russian Federation 20->108 86 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 20->86 dropped 88 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 20->88 dropped 90 C:\Users\user\...\MicrosoftFIX_error.exe, PE32 20->90 dropped 92 6 other malicious files 20->92 dropped 130 Antivirus detection for dropped file 20->130 132 Multi AV Scanner detection for dropped file 20->132 134 Creates an undocumented autostart registry key 20->134 136 2 other signatures 20->136 25 MicrosoftFIX_error.exe 20->25         started        29 rundll32.exe 20->29         started        31 DefendUpdate.exe 20->31         started        34 6 other processes 20->34 file8 signatures9 process10 dnsIp11 102 C:\Users\user\AppData\...\ProgramStarter.exe, PE32 25->102 dropped 154 Multi AV Scanner detection for dropped file 25->154 156 Machine Learning detection for dropped file 25->156 36 ProgramStarter.exe 25->36         started        41 rundll32.exe 23 29->41         started        116 216.58.215.238 GOOGLEUS United States 31->116 118 8.8.8.8 GOOGLEUS United States 31->118 158 Antivirus detection for dropped file 31->158 160 Tries to harvest and steal browser information (history, passwords, etc) 31->160 43 cmd.exe 31->43         started        162 Encrypted powershell cmdline option found 34->162 45 conhost.exe 34->45         started        47 conhost.exe 34->47         started        49 cmd.exe 1 34->49         started        51 5 other processes 34->51 file12 signatures13 process14 dnsIp15 110 64.185.227.155 WEBNXUS United States 36->110 112 149.154.167.220 TELEGRAMRU United Kingdom 36->112 114 5 other IPs or domains 36->114 94 C:\ProgramData\RuntimeBrokerData\svhost.exe, PE32+ 36->94 dropped 96 C:\ProgramData\...\WinRing0x64.sys, PE32+ 36->96 dropped 98 C:\ProgramData\...\RuntimeBroker.exe, PE32 36->98 dropped 100 2 other malicious files 36->100 dropped 138 Antivirus detection for dropped file 36->138 140 Multi AV Scanner detection for dropped file 36->140 142 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->142 152 3 other signatures 36->152 53 cmd.exe 36->53         started        56 cmd.exe 36->56         started        58 cmd.exe 36->58         started        66 13 other processes 36->66 144 System process connects to network (likely due to code injection or exploit) 41->144 146 Tries to steal Instant Messenger accounts or passwords 41->146 148 Tries to harvest and steal ftp login credentials 41->148 150 Tries to harvest and steal browser information (history, passwords, etc) 41->150 60 tar.exe 41->60         started        62 conhost.exe 43->62         started        64 choice.exe 43->64         started        file16 signatures17 process18 signatures19 128 Encrypted powershell cmdline option found 53->128 68 conhost.exe 53->68         started        70 powershell.exe 53->70         started        72 conhost.exe 56->72         started        74 schtasks.exe 56->74         started        76 conhost.exe 58->76         started        78 schtasks.exe 58->78         started        80 conhost.exe 60->80         started        82 conhost.exe 66->82         started        84 21 other processes 66->84 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqu2hils4wajwouzyh26dal4a4pd37qgx2zbhy6qjbbgmzdq2y5q._file
Verdict:
malicious
Similar samples:
33520cb1209409f60c2feb681777e52f315152ff2f14af1c59e7001b0c21f945
Amadey
41bbbd67f80e8b695a6dd7b7dee9ed842e30481b77fcf4770bffbe6ff603a575
Amadey
4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
Amadey
552ceb368e7e3bd3ee02fc179fc1e3a939398757e42c87964d96683a1faa62af
Amadey
a45e5648dac23fbc36adb63fcb33b81178594403f276aa3a1195b91fc29aae5c
Amadey
a4ebbc150158fdc325812c21cdc87ec88818c333a2e91286034137cba468e25c
Amadey
d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d
Amadey
dd6591db098a249805d23dea1f8c3bb79e2cb9a40a27cfaffaaf7b81042af622
Amadey
+ 9'588 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/230123-z58h1afe69/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Amadey
RedLine
Malware Config
C2 Extraction:
83.217.11.7/8vcWxwwx3/index.php
95.217.146.176:4281
Unpacked files
SH256 hash:
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b
MD5 hash:
52b22168cedfe571d08aff7d0746fefa
SHA1 hash:
ae394d63053d15e549c0dc174467d2b5ab5ffc98
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/993b68bd-454e-4365-a679-41a5045b8334/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356137/

Comments