MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d
SHA3-384 hash: 43c51015da82be3695074ec789276e5de9aecc9fa58c3e5786211f6d5e7ef30276a2a437a3d03596e39e37db4e0a4737
SHA1 hash: c0548bcd5649f2b2e394fddd2b2e51361096d21c
MD5 hash: bc5023306fc8985f32a0a9e78156e17e
humanhash: connecticut-dakota-violet-romeo
File name:bc5023306fc8985f32a0a9e78156e17e
Download: download sample
Signature Amadey
Create hunting rule
File size:1'887'744 bytes
First seen:2024-02-12 04:43:18 UTC
Last seen:2024-02-12 12:46:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:FgtslEnROL38/C/dS8x9zypcmv2AuFKi03Gua/r6kiLrj57stKvfXNGXlpuPt3:QnY38/8S8Lzr6bi03NbkiLHYK3XYpW
TLSH T1D69533831ADF8464C6CA58F96F3FC3A6A572B782EB25A0DD3C362157DE970464F4E801
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
484
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2024-02-12 03:12:29 UTC
Tags:
loader hausbomber opendir payload stealer stealc rhadamanthys lumma redline risepro evasion xworm remote azorult phorpiex trojan amadey botnet arechclient2 backdoor cobaltstrike purplefox socks5systemz proxy metastealer rat gh0st raccoon arkei doina qbot nitol gcleaner keylogger remcos quasar recordbreaker
Link:
https://app.any.run/tasks/a9c62d90-acfc-4b56-813c-55e7a6bad89d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/475774/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop25.30464.29049.20562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c9a21390a5367ac0c0dd5a/reports/3b9c6aac-cb3c-4f48-bd64-403f4f8b4ad0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/efe2d426-2429-4555-8bd6-a0cc29dbfc40
Result
Threat name:
Amadey, LummaC Stealer, RedLine, RisePro
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390505
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390505 Sample: 1cfxwHmB63.exe Startdate: 12/02/2024 Architecture: WINDOWS Score: 100 121 prod.detectportal.prod.cloudops.mozgcp.net 2->121 123 ipv4only.arpa 2->123 125 3 other IPs or domains 2->125 155 Snort IDS alert for network traffic 2->155 157 Multi AV Scanner detection for domain / URL 2->157 159 Found malware configuration 2->159 161 22 other signatures 2->161 10 explorgu.exe 1 51 2->10         started        15 MPGPH131.exe 2->15         started        17 MSIUpdaterV131.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 147 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 10->147 149 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 10->149 153 2 other IPs or domains 10->153 99 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->99 dropped 101 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->101 dropped 103 C:\Users\user\AppData\Local\Temp\...\for.exe, PE32 10->103 dropped 113 19 other malicious files 10->113 dropped 193 Multi AV Scanner detection for dropped file 10->193 195 Detected unpacking (changes PE section rights) 10->195 215 6 other signatures 10->215 21 dota.exe 10->21         started        26 rundll32.exe 10->26         started        28 rundll32.exe 12 10->28         started        105 C:\Users\user\...\K4mdEI9yb5XmNSoRpYuK.exe, PE32 15->105 dropped 107 C:\Users\user\AppData\Local\...\fu[1].exe, PE32 15->107 dropped 109 C:\Users\user\...\6oGjho1u5dz9Knscf2F1xRx.zip, Zip 15->109 dropped 197 Contains functionality to check for running processes (XOR) 15->197 199 Binary is likely a compiled AutoIt script file 15->199 201 Tries to steal Mail credentials (via file / registry access) 15->201 203 Contains functionality to inject threads in other processes 15->203 205 Antivirus detection for dropped file 17->205 207 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->207 209 Machine Learning detection for dropped file 17->209 151 127.0.0.1 unknown unknown 19->151 111 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 19->111 dropped 115 2 other malicious files 19->115 dropped 211 Found many strings related to Crypto-Wallets (likely being stolen) 19->211 213 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 19->213 217 2 other signatures 19->217 30 msedge.exe 19->30         started        32 firefox.exe 19->32         started        34 firefox.exe 19->34         started        36 2 other processes 19->36 file6 signatures7 process8 dnsIp9 127 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 21->127 129 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 21->129 131 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->131 89 C:\Users\user\...\tYt2C_Bny2oXZEFNMvzR.exe, PE32 21->89 dropped 91 C:\Users\user\...\nV918DJc17RgqP0zVznt.exe, PE32 21->91 dropped 93 C:\Users\user\...\dVRK78fE09rJRiOADu2L.exe, PE32 21->93 dropped 95 15 other malicious files 21->95 dropped 181 Detected unpacking (changes PE section rights) 21->181 183 Contains functionality to check for running processes (XOR) 21->183 185 Binary is likely a compiled AutoIt script file 21->185 189 5 other signatures 21->189 38 6yVO9Vzr2cCnld6gaFe8.exe 21->38         started        41 tYt2C_Bny2oXZEFNMvzR.exe 21->41         started        43 schtasks.exe 21->43         started        47 3 other processes 21->47 45 rundll32.exe 23 26->45         started        187 System process connects to network (likely due to code injection or exploit) 28->187 133 131.253.33.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->133 135 108.177.122.93 GOOGLEUS United States 30->135 139 14 other IPs or domains 30->139 137 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->137 file10 signatures11 process12 signatures13 163 Multi AV Scanner detection for dropped file 38->163 165 Detected unpacking (changes PE section rights) 38->165 167 Tries to evade debugger and weak emulator (self modifying code) 38->167 177 3 other signatures 38->177 169 Binary is likely a compiled AutoIt script file 41->169 49 chrome.exe 41->49         started        52 chrome.exe 41->52         started        54 chrome.exe 41->54         started        66 10 other processes 41->66 56 conhost.exe 43->56         started        171 Tries to steal Instant Messenger accounts or passwords 45->171 173 Uses netsh to modify the Windows network and firewall settings 45->173 175 Tries to harvest and steal ftp login credentials 45->175 179 2 other signatures 45->179 58 powershell.exe 26 45->58         started        62 netsh.exe 2 45->62         started        64 conhost.exe 47->64         started        68 2 other processes 47->68 process14 dnsIp15 117 192.168.2.4 unknown unknown 49->117 119 239.255.255.250 unknown Reserved 49->119 70 chrome.exe 49->70         started        73 chrome.exe 49->73         started        75 chrome.exe 52->75         started        77 chrome.exe 54->77         started        79 conhost.exe 56->79         started        97 C:\Users\user\...\246122658369_Desktop.zip, Zip 58->97 dropped 191 Found many strings related to Crypto-Wallets (likely being stolen) 58->191 81 conhost.exe 58->81         started        83 conhost.exe 62->83         started        85 chrome.exe 66->85         started        87 3 other processes 66->87 file16 signatures17 process18 dnsIp19 141 photos-ugc.l.googleusercontent.com 142.250.105.132 GOOGLEUS United States 70->141 143 youtube-ui.l.google.com 142.250.105.190 GOOGLEUS United States 70->143 145 40 other IPs or domains 70->145
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2024-02-12 04:44:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcgoqqtgewbufy7tv6637xrxpnw2ylkhyrezwut2i727n45dv56q._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:xmrig evasion miner spyware stealer trojan upx
Link:
https://tria.ge/reports/240212-fctdtscf85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
xmrig
Malware Config
C2 Extraction:
http://185.215.113.32
Unpacked files
SH256 hash:
ba8de97348ec13aa9d2f51552878076b35f88a87daaea2e99dd372f41b85a69e
MD5 hash:
cd6a030a4597b499331b1f7596951660
SHA1 hash:
a1a64731c8d239eba3eeb38670e6c01b4db2ffde
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/0bbb8e97-e081-4c54-8620-ac4cc7e809b7/
SH256 hash:
888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d
MD5 hash:
bc5023306fc8985f32a0a9e78156e17e
SHA1 hash:
c0548bcd5649f2b2e394fddd2b2e51361096d21c
Link:
https://www.unpac.me/results/0bbb8e97-e081-4c54-8620-ac4cc7e809b7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/888ce8426625/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
URLhaus
https://urlhaus.abuse.ch/url/2759927/
Cape
Cape
https://www.capesandbox.com/analysis/475774/

Comments


Avatar
zbet commented on 2024-02-12 04:43:19 UTC

url : hxxp://185.215.113.46/mine/amert.exe