MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0
SHA3-384 hash: 41ec8d926cdb6aa995374584c16241bb35dc1fdfc0f52c620acc699bd67212f43ed9995a03c10eb98bb87e7a8e8519e4
SHA1 hash: 4ad92bde831e7e67ef83806639a78661ea7c353e
MD5 hash: 51ccd25e10663075784e81dcd0ebddac
humanhash: juliet-xray-floor-johnny
File name:51ccd25e10663075784e81dcd0ebddac.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'181'560 bytes
First seen:2023-12-03 16:33:22 UTC
Last seen:2023-12-03 18:41:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Rt1x+XPmslQTRdl3YrKWHZX9uWfm2Yysm2YyhZX9uWv:R8eslgl3yKWHZXfizZXv
Threatray 22 similar samples on MalwareBazaar
TLSH T1DA45BE3A73139B15CC615B7C8090C2E46F38FA15BB33761BBAFEAB9529039649D941CC
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:Amadey exe signed

Code Signing Certificate

Organisation:installrax inc
Issuer:installrax inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-03T00:40:54Z
Valid to:2024-12-03T00:40:54Z
Serial number: cb6b13900df591d95340f599aa34c832
Thumbprint Algorithm:SHA256
Thumbprint: 66ee7d812d4ecf98b347cf606bfd887e09751f024b98c7c668236a4f632fbb1b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462147/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.15994.32519.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Running batch commands
Launching the process to interact with network services
Launching the default Windows debugger (dwwin.exe)
Blocking the User Account Control
Query of malicious DNS domain
Launching a tool to kill processes
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed
Link:
https://www.filescan.io/uploads/656cae19b1289ca93d51adf7/reports/1048e70e-fff2-4bf4-8aca-9f62c8282eea/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a95777a-af90-4206-b7c8-f1f1c6ea83ed
Result
Threat name:
Amadey, HTMLPhisher, Petite Virus, onlyL
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352688
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected BlockedWebSite
Yara detected Generic Stealer
Yara detected onlyLogger
Yara detected Petite Virus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1352688 Sample: qy4U811aUc.exe Startdate: 03/12/2023 Architecture: WINDOWS Score: 100 133 Multi AV Scanner detection for domain / URL 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 Antivirus detection for URL or domain 2->137 139 16 other signatures 2->139 10 qy4U811aUc.exe 2 4 2->10         started        process3 signatures4 141 Writes to foreign memory regions 10->141 143 Allocates memory in foreign processes 10->143 145 Adds extensions / path to Windows Defender exclusion list (Registry) 10->145 147 3 other signatures 10->147 13 CasPol.exe 15 502 10->13         started        18 powershell.exe 23 10->18         started        process5 dnsIp6 119 98.126.19.29 VPLSNETUS United States 13->119 121 91.92.241.91 THEZONEBG Bulgaria 13->121 123 16 other IPs or domains 13->123 103 C:\Users\...\zlZOUkyJtBSMVl6gycgV5dex.exe, PE32 13->103 dropped 105 C:\Users\...\ygysjKAUkCpDY6zCwDvida6a.exe, PE32 13->105 dropped 107 C:\Users\...\xsJUeTSXbIIO6zqSlXnZhEFG.exe, PE32 13->107 dropped 109 304 other malicious files 13->109 dropped 151 Drops script or batch files to the startup folder 13->151 153 Creates HTML files with .exe extension (expired dropper behavior) 13->153 155 Writes many files with high entropy 13->155 20 LvcrEt4WHl8LPsHBwlTAQTl6.exe 13->20         started        23 8JjSxRDyR6LsqohKtDGt1zMf.exe 13->23         started        25 8DrhkDWXe5pcVFiuhLYekgYJ.exe 13->25         started        29 16 other processes 13->29 27 conhost.exe 18->27         started        file7 signatures8 process9 dnsIp10 89 C:\Users\...\LvcrEt4WHl8LPsHBwlTAQTl6.tmp, PE32 20->89 dropped 32 LvcrEt4WHl8LPsHBwlTAQTl6.tmp 20->32         started        91 C:\Users\...\8JjSxRDyR6LsqohKtDGt1zMf.tmp, PE32 23->91 dropped 36 8JjSxRDyR6LsqohKtDGt1zMf.tmp 23->36         started        93 C:\Users\...\8DrhkDWXe5pcVFiuhLYekgYJ.tmp, PE32 25->93 dropped 38 8DrhkDWXe5pcVFiuhLYekgYJ.tmp 25->38         started        125 85.209.11.204 SYNGB Russian Federation 29->125 127 107.167.110.211 OPERASOFTWAREUS United States 29->127 129 7 other IPs or domains 29->129 95 C:\Users\...\S8BmcHOrLrQilSmzGzmNjeqP.tmp, PE32 29->95 dropped 97 C:\Users\...\sLykmguKmMrDFi6dC33TcS6r.tmp, PE32 29->97 dropped 99 C:\Users\...\qBRhhNZ10DMNOurHqqOtvglY.tmp, PE32 29->99 dropped 101 23 other malicious files 29->101 dropped 40 airAkiFbzCZ6K56w9HctnCcv.tmp 29->40         started        42 qBRhhNZ10DMNOurHqqOtvglY.tmp 29->42         started        44 S8BmcHOrLrQilSmzGzmNjeqP.tmp 29->44         started        46 5 other processes 29->46 file11 process12 file13 73 59 other files (47 malicious) 32->73 dropped 131 Uses schtasks.exe or at.exe to add and modify task schedules 32->131 48 STDConio.exe 32->48         started        51 net.exe 32->51         started        53 schtasks.exe 32->53         started        55 STDConio.exe 32->55         started        75 57 other files (45 malicious) 36->75 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->69 dropped 71 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 38->71 dropped 77 55 other files (43 malicious) 38->77 dropped 79 57 other files (45 malicious) 40->79 dropped 81 57 other files (45 malicious) 42->81 dropped 83 8 other files (7 malicious) 44->83 dropped 85 4 other malicious files 46->85 dropped 58 7089868203.exe 46->58         started        61 conhost.exe 46->61         started        signatures14 process15 dnsIp16 87 C:\ProgramData\SmartDVDSvc\SmartDVDSvc.exe, PE32 48->87 dropped 63 conhost.exe 51->63         started        65 net1.exe 51->65         started        67 conhost.exe 53->67         started        111 185.196.8.22 SIMPLECARRER2IT Switzerland 55->111 113 152.89.198.214 NEXTVISIONGB United Kingdom 55->113 115 81.31.197.38 M247GB Latvia 55->115 117 144.76.82.108 HETZNER-ASDE Germany 58->117 149 Tries to harvest and steal browser information (history, passwords, etc) 58->149 file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-12-03 01:21:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
15 of 22 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryubigvi4hwgdm5bx4u5zjsdizwpuzdyrvl4tugclhloqznu37aa._file
Verdict:
malicious
Similar samples:
2382a65e62ea823df4d480c958ba0df9712521d74cbf85327f1279c6729f4797
Amadey
3f9dea18016627459bb9a1dc0e11c85ba9b3e550f114dd1cd05357a4ffa1da62
Amadey
4408ca4867bf10664da86178ed9d1730f0b405964f6bcd1c5ad87353ac1f5dca
Amadey
599f6f6172b21eda210d42e71d1ae8dee8e2019b874182e6aaae72d659f3cc6a
Amadey
672a61ad27f7bafa74b86dffa95262a18256d48cf3f1aa74c5b6907cefd9cad1
Amadey
6f07901b9de8f7b889d3fd929e96fa0c8067e5afce9947be6363adf43bae2fe3
Amadey
894d4384548ba2e383a7568b57e5fcfd18d36dab8552142dd7f8c02457b9e4aa
Amadey
90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864
Amadey
a173731d16e9140be26ee0a16e6416109b684b71a3523a3c4b85cf101bcd3b1e
Amadey
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/231203-t23wfsda69/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Windows security modification
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0
MD5 hash:
51ccd25e10663075784e81dcd0ebddac
SHA1 hash:
4ad92bde831e7e67ef83806639a78661ea7c353e
Link:
https://www.unpac.me/results/8ff2899e-cbb8-44b8-b6ef-332898c9847b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e28141aa8e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 8e28141aa8e1ec61b3a1bf29dca643466cfa64788d57c9d0c259d6e865b4dfc0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2735837/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/462147/

Comments