MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60
SHA3-384 hash: 50b34f68f2ea8bc56fe890e737b960ce5e7322e878bfcb2594fae819f3053704255e4e0ba1d445737dc1478a352d2907
SHA1 hash: d3370bc98065a5b0d11b06a089f9280e184325b1
MD5 hash: be131b7bc8cd4eb30eb81ccceeaaea4d
humanhash: twenty-neptune-mississippi-item
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'856'512 bytes
First seen:2024-11-21 15:08:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:x1C65bDvLzDByacb4n+rK7oXKjdPSoj+:xMGbbQai4nMSpSo
Threatray 5'251 similar samples on MalwareBazaar
TLSH T164853300CEC7E977D3CC08715A879A737FA9142AB29C366E0D1397B9984329F7D365A0
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-21 15:10:25 UTC
Tags:
amadey botnet stealer loader themida lumma stealc cryptbot
Link:
https://app.any.run/tasks/91f39b63-5685-48c0-b3fc-6f6c08806f32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.22348.1638.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673f4e1120280512a0db962d
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/673f4d1da3ad006ec2e18d7c/reports/03aad23b-b0fb-4f4b-9235-34843d9cc669/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2ee47320-a627-4a7a-a9f3-23d85bfa0ca2
Result
Threat name:
LummaC, Amadey, Credential Flusher, Cryp
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1560285
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops large PE files
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560285 Sample: file.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 98 youtube.com 2->98 100 youtube-ui.l.google.com 2->100 102 42 other IPs or domains 2->102 134 Suricata IDS alerts for network traffic 2->134 136 Found malware configuration 2->136 138 Antivirus detection for URL or domain 2->138 140 14 other signatures 2->140 9 skotes.exe 4 32 2->9         started        14 file.exe 5 2->14         started        16 88bfd6b96a.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 122 185.215.113.43, 49783, 49793, 49816 WHOLESALECONNECTIONSNL Portugal 9->122 124 31.41.244.11, 49795, 49817, 80 AEROEXPRESS-ASRU Russian Federation 9->124 126 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->126 86 C:\Users\user\AppData\...\cda385c5f4.exe, PE32 9->86 dropped 88 C:\Users\user\AppData\...\2dbebe6650.exe, PE32 9->88 dropped 90 C:\Users\user\AppData\...\e472ab6850.exe, PE32 9->90 dropped 96 9 other files (8 malicious) 9->96 dropped 170 Creates multiple autostart registry keys 9->170 172 Hides threads from debuggers 9->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->174 20 cda385c5f4.exe 9->20         started        23 e472ab6850.exe 9->23         started        27 L.exe 9->27         started        37 3 other processes 9->37 92 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->92 dropped 94 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->94 dropped 176 Detected unpacking (changes PE section rights) 14->176 178 Tries to evade debugger and weak emulator (self modifying code) 14->178 180 Tries to detect virtualization through RDTSC time measurements 14->180 29 skotes.exe 14->29         started        182 Query firmware table information (likely to detect VMs) 16->182 184 Tries to harvest and steal ftp login credentials 16->184 186 Tries to harvest and steal browser information (history, passwords, etc) 16->186 188 Tries to steal Crypto Currency Wallets 16->188 190 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->190 31 firefox.exe 18->31         started        33 msedge.exe 18->33         started        35 taskkill.exe 18->35         started        file6 signatures7 process8 dnsIp9 142 Multi AV Scanner detection for dropped file 20->142 144 Detected unpacking (changes PE section rights) 20->144 146 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->146 162 4 other signatures 20->162 104 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 23->104 76 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 23->76 dropped 78 C:\Users\user\AppData\...\softokn3[1].dll, PE32 23->78 dropped 80 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 23->80 dropped 84 9 other files (none is malicious) 23->84 dropped 148 Attempt to bypass Chrome Application-Bound Encryption 23->148 150 Tries to harvest and steal browser information (history, passwords, etc) 23->150 152 Tries to evade debugger and weak emulator (self modifying code) 23->152 39 chrome.exe 23->39         started        42 msedge.exe 23->42         started        106 cook-rain.sbs 104.21.66.38, 443, 49811, 49818 CLOUDFLARENETUS United States 27->106 154 Query firmware table information (likely to detect VMs) 27->154 156 Found many strings related to Crypto-Wallets (likely being stolen) 27->156 164 2 other signatures 27->164 166 3 other signatures 29->166 112 6 other IPs or domains 31->112 45 firefox.exe 31->45         started        47 firefox.exe 31->47         started        108 sb.scorecardresearch.com 18.165.220.57 MIT-GATEWAYSUS United States 33->108 110 ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 33->110 114 8 other IPs or domains 33->114 49 conhost.exe 35->49         started        116 2 other IPs or domains 37->116 82 C:\Users\user\AppData\...\service123.exe, PE32 37->82 dropped 158 Binary is likely a compiled AutoIt script file 37->158 160 Drops large PE files 37->160 51 taskkill.exe 37->51         started        53 taskkill.exe 37->53         started        55 taskkill.exe 37->55         started        57 4 other processes 37->57 file10 signatures11 process12 dnsIp13 118 192.168.2.7, 443, 49700, 49701 unknown unknown 39->118 120 239.255.255.250 unknown Reserved 39->120 59 chrome.exe 39->59         started        62 chrome.exe 39->62         started        168 Monitors registry run keys for changes 42->168 64 msedge.exe 42->64         started        66 conhost.exe 51->66         started        68 conhost.exe 53->68         started        70 conhost.exe 55->70         started        72 conhost.exe 57->72         started        74 conhost.exe 57->74         started        signatures14 process15 dnsIp16 128 www.google.com 142.250.201.36 GOOGLEUS United States 59->128 130 chrome.cloudflare-dns.com 59->130 132 172.217.171.228 GOOGLEUS United States 62->132
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-21 15:09:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzzmprr4htz6lkbdud24tgoe2kjyh2aqiv7xsjspms6c5w2whrqa._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
04a4ed789f8a254681cc65fe7361660373cc8a37b66992979c916bf4f990c8b9
Amadey
8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60
Amadey
9e13c0c0d9dc49f26224c47d12c12482ce0a1ad9a150bd73f7623ff542840851
Amadey
a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76
Amadey
b4ed53947a407459822c5d352bb5300a5885b9dec2b6c319c48f54b57a02e2eb
Amadey
c0329dc59dde4e5ee3352e3c9e5df7c407dbef202aa1ac730be4be6a68857d15
Amadey
c714577cc08df82a0894aa58aa968fa3b9761c198581bd99fce150fa488248e3
Amadey
ce83aa5c8762fed96db6a856e665a69e7b3a296c228fc98885e51d6391ff6bee
Amadey
error
Amadey
f5e9fbd5e21af911631990625f0f1abf0b7d8cd0ea7ae635767bfa069ad60123
Amadey
f62dd7441e98f7b679d6eaef42f6e5b14ccb9bac8b961f26228b9bddcbdbb6b4
Amadey
+ 5'241 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:stealc botnet:9c9aa5 botnet:mars credential_access discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/241121-slbxcssrgv/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
CryptBot
Cryptbot family
Detects CryptBot payload
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.206
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a0d2256a-c768-4973-af7f-7f318630e076
Unpacked files
SH256 hash:
83af4cf5780befef1b75cf01e58d6d4e6e5f94607bd3d84c2ec113183877a9f4
MD5 hash:
12c9837b9a5d5b7ae8c981e57fcbdc1c
SHA1 hash:
b99b0a47c497d02ef9acb667f8dafec295912b2e
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/f5e04642-a583-4188-a913-5f856367aef9/
SH256 hash:
8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60
MD5 hash:
be131b7bc8cd4eb30eb81ccceeaaea4d
SHA1 hash:
d3370bc98065a5b0d11b06a089f9280e184325b1
Link:
https://www.unpac.me/results/f5e04642-a583-4188-a913-5f856367aef9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 8672c7c63c3cf3e5a823a0f5c999c4d29383e810457f79264f64bc2edb563c60

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3273372/
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments