MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243
SHA3-384 hash: a5d72844f8e66a88205d796bd63165080cbb4171977f73e8209c5a0d47f2887aa69a39e69c7f72262dbbdb69c2efed27
SHA1 hash: 9e7ba88b6adff9020aa70061c22576601acd6730
MD5 hash: 5c5f622e093ec21e8bffaf8b1aaf775b
humanhash: harry-mirror-lima-summer
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'257'984 bytes
First seen:2024-07-28 13:12:56 UTC
Last seen:2024-07-30 04:07:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:8HnxynVkD1kRkKB/6uJ5t0NOeqK8JFWHqH1Gd5+e:WnxynGpKQWsNOeEFKcC5+
Threatray 194 similar samples on MalwareBazaar
TLSH T1A5451AFE27195886EDAC26306461B27597F71CC2A8A9E3444E9D71CB6FF3780025B2CD
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 600c726171b14630 (2 x LummaStealer, 1 x DarkGate, 1 x Amadey)
Reporter Bitsight
Tags:Amadey exe FakeBit lockbit LockBit 5.01


Avatar
Bitsight
url: http://185.215.113.101/file/s5.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
447
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243
Verdict:
No threats detected
Analysis date:
2024-07-23 11:39:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e71b747-b904-4af5-b709-a1ca348f6167

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a643e346f80f37dcaa9085
Tags:
Generic Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive overlay vbnet
Link:
https://www.filescan.io/uploads/66a643e28f66298c01f42fd9/reports/da7a77b4-f32a-4196-8732-a710d500e253/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c7b18e5-86d9-4305-ae7a-6629211c980c
Result
Threat name:
LockBit ransomware, PureLog Stealer, zgR
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483659
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus detection for URL or domain
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential ransomware demand text
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LockBit ransomware
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483659 Sample: file.exe Startdate: 28/07/2024 Architecture: WINDOWS Score: 100 41 i.ibb.co 2->41 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 11 other signatures 2->51 9 file.exe 15 3 2->9         started        signatures3 process4 dnsIp5 43 i.ibb.co 162.19.58.156, 443, 49730, 49742 CENTURYLINK-US-LEGACY-QWESTUS United States 9->43 31 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->31 dropped 59 Writes to foreign memory regions 9->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->61 63 Injects a PE file into a foreign processes 9->63 14 AddInProcess32.exe 27 1002 9->14         started        18 AddInProcess32.exe 14 3 9->18         started        20 AddInProcess32.exe 9->20         started        file6 signatures7 process8 file9 33 Microsoft_Office_msoev_exe_15.axOkKRj8m, DOS 14->33 dropped 35 C:\Users\user\AppData\...\edb.log.axOkKRj8m, COM 14->35 dropped 37 C:\Users\user\...\xulstore.json.axOkKRj8m, data 14->37 dropped 39 211 other files (209 malicious) 14->39 dropped 65 Found potential ransomware demand text 14->65 67 Found Tor onion address 14->67 69 Overwrites Mozilla Firefox settings 14->69 81 2 other signatures 14->81 22 splwow64.exe 14->22         started        71 Writes to foreign memory regions 18->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->73 75 Injects a PE file into a foreign processes 18->75 25 InstallUtil.exe 18->25         started        27 InstallUtil.exe 18->27         started        77 Contains functionality to detect hardware virtualization (CPUID execution measurement) 20->77 79 Writes many files with high entropy 20->79 signatures10 process11 signatures12 53 Found potential ransomware demand text 22->53 55 Found Tor onion address 22->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->57 29 conhost.exe 25->29         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeyLogger
Create hunting rule
Status:
Malicious
First seen:
2024-07-21 18:42:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvjhqjbyy74n4nhdagsreyj4waumboapadb6iai6mgf6ol63ojbq._file
Verdict:
malicious
Similar samples:
03db266db5b96223ef42206d57e30fa58c59e70b1d14c017422f097af1560ad1
Amadey
0ec87a7f943ab72d08aeb957d33dd348ab7cf45052ab7a31bcce33ff7a095837
Amadey
2829c9ce2041e1694f1bd55efc1d1096ade843da8fb6665b92c3c21efa538642
Amadey
29186fc94bec8aab709cd3a8eeb154cb6c03b1594502f70c0a40a38940f85474
Amadey
3546926360ce335048cccdcd09ac261e37343d32e1c55d1c33207452b12972cc
Amadey
4110ad75016f47236031c552c464d259b301e6ce07c462961fb2d7d6fc976ca8
Amadey
9cb76090b74457b23fd3daf8af4793510cb94a970046de0ea4d3bb05527ba2e1
Amadey
ab14946e5c64f18b74701ef15fef5db8ec4f61c43e7032e0493645c932777eb1
Amadey
+ 184 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery ransomware
Link:
https://tria.ge/reports/240728-qf3rsasarg/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Renames multiple (635) files with added filename extension
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4088e3e4-a294-490f-b208-11c6ea6be574
Unpacked files
SH256 hash:
8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243
MD5 hash:
5c5f622e093ec21e8bffaf8b1aaf775b
SHA1 hash:
9e7ba88b6adff9020aa70061c22576601acd6730
Link:
https://www.unpac.me/results/775da4c9-600a-4b84-bed9-cd8b9486be81/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d52782438c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 8d52782438c7f8de34e301a512613cb028c0b80f00c3e4011e618be72fdb7243

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3075118/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
Kasibe commented on 2024-07-29 17:52:35 UTC

RedLine