MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd
SHA3-384 hash: bda6acaba16e58017825ac1d994bf3514ce2fb93c00cf04d505a574c668099dc5102965de1275d6d84f151121cb521f1
SHA1 hash: ca2f5d48e79b3316364416d5ccd5fc9d051032b9
MD5 hash: afdcb2b1b8fa9182ced13402ddeeb681
humanhash: failed-alabama-fourteen-maine
File name:afdcb2b1b8fa9182ced13402ddeeb681.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'347'532 bytes
First seen:2024-12-04 13:41:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 483f0c4259a9148c34961abbda6146c1 (17 x ValleyRAT, 8 x AsyncRAT, 7 x QuasarRAT)
ssdeep 24576:5MjheaNTnRchpVQZeRXfrgutbvqP+8aHgbswIYiWsRvtciqgQRgOD399:QdDRcpfraPqAb9ISSciuRgC99
Threatray 55 similar samples on MalwareBazaar
TLSH T1F1551202F3F304B1ED29CAB88C5181481D227F5999E1636F2EFCEA4E767C7835874966
TrID 74.1% (.EXE) Inno Setup installer (107240/4/30)
9.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.2% (.EXE) Win64 Executable (generic) (10522/11/4)
3.1% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 9866eb6ba6e868c2 (1 x RedLineStealer, 1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
afdcb2b1b8fa9182ced13402ddeeb681.exe
Verdict:
Malicious activity
Analysis date:
2024-12-04 14:20:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/47dcef8c-dfa4-44c8-b0d6-1efe93308070

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Systweak.Gen4.14801.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67505deebc8c6beb30759fe3
Tags:
emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Creating a file
Moving a recently created file
Creating a file in the %AppData% directory
Moving a file to the %AppData% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67505c30eeff1176420233f9/reports/b4cb359e-7046-42de-b630-b7019b9bbabc/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1e892a5-a31a-4f4f-ad75-b5b9facc7c0b
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1568335
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Found malware configuration
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses Register-ScheduledTask to add task schedules
Yara detected Amadeys Clipper DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1568335 Sample: 8wTiPaCBRi.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Antivirus detection for URL or domain 2->91 93 8 other signatures 2->93 12 8wTiPaCBRi.exe 2 2->12         started        15 regsvr32.exe 2->15         started        17 regsvr32.exe 2->17         started        process3 file4 67 C:\Users\user\AppData\...\8wTiPaCBRi.tmp, PE32 12->67 dropped 19 8wTiPaCBRi.tmp 3 4 12->19         started        22 regsvr32.exe 15->22         started        25 regsvr32.exe 17->25         started        process5 file6 63 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 19->63 dropped 65 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->65 dropped 27 cmd.exe 1 19->27         started        97 Suspicious powershell command line found 22->97 99 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->99 29 powershell.exe 22->29         started        32 powershell.exe 25->32         started        signatures7 process8 signatures9 34 8wTiPaCBRi.exe 2 27->34         started        37 conhost.exe 27->37         started        39 timeout.exe 1 27->39         started        101 Loading BitLocker PowerShell Module 29->101 41 conhost.exe 29->41         started        43 conhost.exe 32->43         started        process10 file11 61 C:\Users\user\AppData\...\8wTiPaCBRi.tmp, PE32 34->61 dropped 45 8wTiPaCBRi.tmp 21 7 34->45         started        process12 file13 69 C:\Users\user\AppData\Roaming\is-N9SV0.tmp, PE32 45->69 dropped 71 C:\Users\user\...\HollowSwallow.dll (copy), PE32 45->71 dropped 73 C:\Users\user\AppData\...\unins000.exe (copy), PE32 45->73 dropped 75 3 other files (none is malicious) 45->75 dropped 48 regsvr32.exe 12 45->48         started        process14 dnsIp15 77 154.216.20.237, 49736, 49737, 49738 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 48->77 79 System process connects to network (likely due to code injection or exploit) 48->79 81 Suspicious powershell command line found 48->81 83 Contains functionality to start a terminal service 48->83 85 3 other signatures 48->85 52 powershell.exe 37 48->52         started        55 powershell.exe 37 48->55         started        signatures16 process17 signatures18 95 Loading BitLocker PowerShell Module 52->95 57 conhost.exe 52->57         started        59 conhost.exe 55->59         started        process19
Score:
31%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-12-03 20:36:58 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6kzmxunm2apr7n2hd2mx56cotrwov5ro4jsk3vdumwzn2m6sdoq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa
Amadey
403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c
Amadey
8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd
Amadey
96a60b6cde63794b637bce219083e7905560c626e68c00af1d99be451c8c3700
Amadey
d7ecee953b42d1ead347c587deabfc57ed5360b5c20278249d6e2bae39386d56
Amadey
e3e09098510900576291009584c3d813223ebb3b1bea1bfa11e47647f26ce115
Amadey
error
Amadey
+ 45 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:f6a841 discovery execution trojan
Link:
https://tria.ge/reports/241204-qznrzaxkaz/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Amadey
Amadey family
Malware Config
C2 Extraction:
http://154.216.20.237
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/abee921d-4cee-43db-b797-f9428aaad9be
Unpacked files
SH256 hash:
c00c388247dd05b99eb763b567aa0171a465a99fcc1aef97b7eebdb20687d522
MD5 hash:
c76829dceae66364cbba316f07f3519a
SHA1 hash:
d891e8999dfc2dc2443065239a8083f0ee7365f7
Link:
https://www.unpac.me/results/5507bc42-8706-499a-b3c6-29dc7cd88a08/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/5507bc42-8706-499a-b3c6-29dc7cd88a08/
SH256 hash:
b6e01f265447fd9e1ba3aea7d68e442723e62defd1ff0ce552b1eba296c2213b
MD5 hash:
48aa71eb8474d08d01551bf13f6f98c9
SHA1 hash:
b9c209bf62bd33b35a232791014061ab327276ff
Link:
https://www.unpac.me/results/5507bc42-8706-499a-b3c6-29dc7cd88a08/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/5507bc42-8706-499a-b3c6-29dc7cd88a08/
SH256 hash:
8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd
MD5 hash:
afdcb2b1b8fa9182ced13402ddeeb681
SHA1 hash:
ca2f5d48e79b3316364416d5ccd5fc9d051032b9
Link:
https://www.unpac.me/results/5507bc42-8706-499a-b3c6-29dc7cd88a08/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f95965e8d66/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 8f95965e8d6680f8fdba38f4cbf7c274e36757b17713256ea3a32d96e99e90dd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3319729/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3319728/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceW
kernel32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments