MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
SHA3-384 hash: 15dd5dfce1d7f3996c9006d4324e5bd5ea7322f740e5435a0c47566466ad8b61838ab65bc11c15ab73b1b081e12e0741
SHA1 hash: 8e615a64e4d72b08926242b7d73a608bdd7e9fce
MD5 hash: 3f1f81101d0ce95fdfac97f5913cd662
humanhash: lemon-chicken-colorado-montana
File name:setup_x86_x64_install.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'086'101 bytes
First seen:2021-09-07 18:06:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gmyqbLa4v/PurN5Abmm0s+yU82ab80KqjHowNyUZCsMRPoFyDkM+2LRHWzlUzWQ:ynqq8PsfnCUPaQT2ooyUrMFv+2l2RUzB
Threatray 526 similar samples on MalwareBazaar
TLSH T112E53363FD61E3B1D0805A781AB54C2B48BAF435B6E8AE1FD1139D7178A904AFF0D583
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:Amadey exe Loader SmokeLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
478
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-07 17:47:01 UTC
Tags:
trojan loader stealer vidar evasion rat redline opendir raccoon
Link:
https://app.any.run/tasks/3e8ac0e9-6e60-4a66-afad-4efd7b13083f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186112/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcca7536-57fd-4688-a597-9271b8267b25
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846854
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479285 Sample: setup_x86_x64_install.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 72 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->72 74 69.16.175.42 HIGHWINDS3US United States 2->74 76 7 other IPs or domains 2->76 118 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Antivirus detection for URL or domain 2->122 124 15 other signatures 2->124 10 setup_x86_x64_install.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 62 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->62 dropped 15 setup_installer.exe 17 10->15         started        process6 file7 64 C:\Users\user\AppData\...\setup_install.exe, PE32 15->64 dropped 66 C:\Users\user\...\Tue11f251db82fb7b.exe, PE32 15->66 dropped 68 C:\Users\user\...\Tue11e4e580f2e8141a3.exe, PE32 15->68 dropped 70 12 other files (7 malicious) 15->70 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 78 hsiens.xyz 104.21.87.76, 49711, 80 CLOUDFLARENETUS United States 18->78 80 127.0.0.1 unknown unknown 18->80 126 Performs DNS queries to domains with low reputation 18->126 128 Adds a directory exclusion to Windows Defender 18->128 22 cmd.exe 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 18->26         started        28 8 other processes 18->28 signatures10 process11 signatures12 31 Tue11141271fbe5877f.exe 22->31         started        36 Tue118f55232e4.exe 24->36         started        38 Tue11bc0507b56295.exe 26->38         started        130 Adds a directory exclusion to Windows Defender 28->130 40 Tue11f251db82fb7b.exe 14 5 28->40         started        42 Tue1109eec571ac.exe 28->42         started        44 Tue11e4e580f2e8141a3.exe 28->44         started        46 3 other processes 28->46 process13 dnsIp14 82 172.67.211.161 CLOUDFLARENETUS United States 31->82 48 C:\ProgramData\4663204.exe, PE32 31->48 dropped 50 C:\ProgramData\4566475.exe, PE32 31->50 dropped 52 C:\ProgramData\4474127.exe, PE32 31->52 dropped 60 2 other files (1 malicious) 31->60 dropped 96 Multi AV Scanner detection for dropped file 31->96 98 Machine Learning detection for dropped file 31->98 84 iplogger.org 88.99.66.31, 443, 49717 HETZNER-ASDE Germany 36->84 86 www.listincode.com 144.202.76.47, 443, 49714 AS-CHOOPAUS United States 36->86 100 Antivirus detection for dropped file 36->100 102 May check the online IP address of the machine 36->102 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->104 106 Maps a DLL or memory area into another process 38->106 108 Checks if the current machine is a virtual machine (disk enumeration) 38->108 88 cdn.discordapp.com 162.159.134.233, 443, 49706 CLOUDFLARENETUS United States 40->88 90 192.168.2.1 unknown unknown 40->90 54 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 40->54 dropped 92 46.8.29.181 TEAM-HOSTASRU Russian Federation 42->92 110 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 42->110 112 Sample uses process hollowing technique 44->112 114 Injects a PE file into a foreign processes 44->114 94 a.goatgame.co 172.67.146.70, 443, 49705 CLOUDFLARENETUS United States 46->94 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 46->56 dropped 58 C:\Users\user\...\Tue11b9d76a96506.tmp, PE32 46->58 dropped 116 Creates processes via WMI 46->116 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 18:06:15 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scvgu7dxb4wa6skzm4y4qd62puceqaw6vhuql74ztm443jkcqqdq._file
Verdict:
unknown
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
Amadey
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
Amadey
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
Amadey
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
Amadey
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
Amadey
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
Amadey
76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
Amadey
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
Amadey
+ 516 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:916 botnet:jayson aspackv2 backdoor evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210907-wqa3eagcgr/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Tnega Activity (GET)
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
95.181.172.207:56915
Dropper Extraction:
http://shellloader.com/welcome
Unpacked files
SH256 hash:
6bb9cef27956113d1d729826b296f672aae5aabd2cc03b8e8410db9c2b397b2e
MD5 hash:
113269507d423a14e7a8b17f9bbaabe6
SHA1 hash:
45dc4e0fec69229b80c5d29afa8e70e4a8a48120
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
7777465f7b0bd4aba71b18b7815a40f3c7d963cbd98012240ad3a641ef5f76ac
MD5 hash:
511222e0d608169246f837043d8e413b
SHA1 hash:
d0e24a63435789cadf48c8a7e18f7ced0573311e
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
f1beb85136c1ad8814005fa3b4f1d67c48d78e52f646c140c9395d6c1e691c4c
MD5 hash:
4f4faa78c2e5ecc89b977eb2019abbaa
SHA1 hash:
6357e1d8e1580ccb680c81a8d980cb52e11e77e3
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
11b1a2a4e9873feca2f5dea8a104ff9af5bdd83e3d1dc80a23004e0fa1bfb1a2
MD5 hash:
76fcde225030b48cfe8a938fb3886ecf
SHA1 hash:
5f58c9c0b245319a92da3a877881c6b746289168
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
a1edee4ff135e5ce2334da03652c77f77c5258eceb4b4e0a447694533566e380
MD5 hash:
bff1da4b8ff0373c8c94013d1d3e6b13
SHA1 hash:
5c2046225ee0f1dc7de9d94123220793b2ee91d1
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
75a5b14dce57d42b1a511572ac26ceab4b12c27f320d8aa0b3a1c85b3ff17768
MD5 hash:
678bde2fab3c91f994eae110895bddf7
SHA1 hash:
41bca87a0a06251b9fb8a187c0036b807f8ca9fa
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
a5aeb259fcb37778ef1ceee91414bd478391427493b8800c28f892d8761afdf0
MD5 hash:
6e1f9e31cd31a13b13d02594153c0245
SHA1 hash:
0b4a1c4cd34ba95c2f8bc33f864c44cdf86b441d
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
17c6394f4256e6ec014b98d078dcfae89bfff431bb5fd17e95d5858b50ca1659
MD5 hash:
2927aaa5f942c2fb3f781d0ed30fb6ab
SHA1 hash:
19c566defbc40d60e909cd4635a840a042b119b3
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
85a8eb5c9b0b09a422eddd70cdd44ee6339f7a2a454b8f0346518597ee85f492
MD5 hash:
b9913994328fc7959f298ecf935b0a49
SHA1 hash:
9e61858cc4eea084d7d507594cf7bd8bfdf0a8f0
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
115a7e343f07ae725004ddfd06aad3d0413eb656087d70252c7cb0ca9c68f2db
MD5 hash:
d0bce345c5096a7f9291e420d73cc7c6
SHA1 hash:
0b839db26ea5b9304ae70cd5c963f0463c87a756
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
df78a2f56b928eb7bf87c4740b1cad24ffb881f645cbdc8f90f4c03690fb06da
MD5 hash:
661351c4c62f0fee82adab7278288703
SHA1 hash:
6727cc0c0403d86f2fe070b0c7568872263a8947
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
1dc304010b04d025e9e5eca66fb1b969a2ea2ec3b336c2a787951d7a31350ed5
MD5 hash:
7cea45d349b57dacad3569e769557d2a
SHA1 hash:
b30f2852a12b33ccb7189288ec09a098b2316057
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
02b197bdae5b1255a94d26593b5759a47a6944b7dc92d4628ae558ce8a359d6e
MD5 hash:
9e2f118e3f3ee926583dee6c376585f2
SHA1 hash:
fd093f6e8b60ddd76418bd709a81ddbb3a030451
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
SH256 hash:
90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
MD5 hash:
3f1f81101d0ce95fdfac97f5913cd662
SHA1 hash:
8e615a64e4d72b08926242b7d73a608bdd7e9fce
Link:
https://www.unpac.me/results/7fdb0c81-84a7-444e-ac61-a5829a390d88/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/90aa6a7c770f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186112/

Comments