MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b
SHA3-384 hash: a474afe7decf9a00dd87669ff7ae20ec7c977ee6c124cd84d052ccc9f1fef2a8a39c2ae511f069de0a8c959630171568
SHA1 hash: 8b3aa13104920abc0eef34d720058f9ac120a680
MD5 hash: 285e3fe042f687b463de137779ecb33d
humanhash: oranges-speaker-harry-ink
File name:qqeng.pdf.lnk
Download: download sample
Signature Amadey
Create hunting rule
File size:1'964 bytes
First seen:2024-03-17 20:01:47 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8WYaNBmYhZHcvm4pyAcPkr+/4Z+nQ6gIdd79dshavt3r3KrlcKOdm:8WYazmSZHomuZ1QdJ9FvpbolMd
TLSH T1904133111BE60735F3F38E7708766711AB32F80AED239F0E41E542480852600E475F7B
Reporter rmceoin
Tags:Amadey lnk


Avatar
rmceoin
147.45.79.82/Downloads/qqeng.pdf.lnk
lastmodified: Sun, 17 Mar 2024 01:33:55 GMT
LNK -> mshta http://92.246.138.48/qqeng -> https://cdnproviderhubworldleads.cfd/update.exe

distraction: https://sgmindia.biz/temp/students.pdf

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30398.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinForFilesHeartBeat.20220523.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaymshta.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.SilverChairs4SilverBacks.20221114.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OtherPosition.02122024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b/results/dashboard
Payload URLs
URL
File name
http://92.246.138.48/qqeng
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
forfiles lolbin masquerade mshta shell32
Link:
https://www.filescan.io/uploads/65f74c3b5cd908a33db6cae9/reports/a4c62bbf-9f18-49b3-8b33-6a4e38fd5265/overview
Verdict:
Malicious
Labled as:
Trojan.WinLNK.Agent
Link:
https://www.hybrid-analysis.com/sample/9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b
Result
Verdict:
MALICIOUS
Details
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410452
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410452 Sample: qqeng.pdf.lnk Startdate: 17/03/2024 Architecture: WINDOWS Score: 100 78 topgamecheats.dev 2->78 80 sgmindia.biz 2->80 82 cdnproviderhubworldleads.cfd 2->82 102 Snort IDS alert for network traffic 2->102 104 Multi AV Scanner detection for domain / URL 2->104 106 Found malware configuration 2->106 108 17 other signatures 2->108 13 forfiles.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 124 Windows shortcut file (LNK) starts blacklisted processes 13->124 19 powershell.exe 7 13->19         started        22 conhost.exe 1 13->22         started        76 127.0.0.1 unknown unknown 16->76 signatures6 process7 signatures8 110 Powershell drops PE file 19->110 24 mshta.exe 17 19->24         started        process9 dnsIp10 88 92.246.138.48, 49729, 80 MEGAMAX-ASNizhnyNovgorodRU Russian Federation 24->88 72 C:\Users\user\AppData\Local\...\qqeng[1], PE32 24->72 dropped 112 Windows shortcut file (LNK) starts blacklisted processes 24->112 114 Suspicious powershell command line found 24->114 116 Very long command line found 24->116 29 powershell.exe 17 17 24->29         started        file11 signatures12 process13 dnsIp14 90 cdnproviderhubworldleads.cfd 147.78.103.160, 443, 49734 CMCSUS Germany 29->90 92 sgmindia.biz 45.84.207.25, 443, 49732 AS-HOSTINGERLT Germany 29->92 74 C:\Users\user\AppData\Local\Temp\update.exe, PE32 29->74 dropped 33 update.exe 29->33         started        37 Acrobat.exe 75 29->37         started        39 conhost.exe 29->39         started        file15 process16 file17 62 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 33->62 dropped 94 Multi AV Scanner detection for dropped file 33->94 96 Detected unpacking (changes PE section rights) 33->96 98 Detected unpacking (overwrites its own PE header) 33->98 100 Contains functionality to inject code into remote processes 33->100 41 WerFault.exe 33->41         started        43 Dctooux.exe 33->43         started        46 WerFault.exe 33->46         started        50 9 other processes 33->50 48 AcroCEF.exe 103 37->48         started        signatures18 process19 signatures20 52 Dctooux.exe 41->52         started        118 Multi AV Scanner detection for dropped file 43->118 120 Detected unpacking (changes PE section rights) 43->120 122 Detected unpacking (overwrites its own PE header) 43->122 56 WerFault.exe 43->56         started        58 AcroCEF.exe 48->58         started        process21 dnsIp22 84 topgamecheats.dev 93.123.39.96, 49761, 49762, 49763 NET1-ASBG Bulgaria 52->84 64 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 52->64 dropped 66 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 52->66 dropped 68 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 52->68 dropped 70 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 52->70 dropped 60 WerFault.exe 52->60         started        86 104.79.84.172, 443, 49744, 49745 AKAMAI-ASUS United States 58->86 file23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-03-17 20:02:05 UTC
File Type:
Binary
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sel5ksc6qnsqkpv4avpoyosdtx4spgcrco7rl5dapwxxxqcmln5q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/240317-yr4gfsef26/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
http://92.246.138.48/qqeng
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Amadey

Shortcut (lnk) lnk 9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b

(this sample)

Amadey

Executable exe d88da24c018b0d0b71a2b29ab1e5684785726396666599e7c5335507237577fc

Amadey

Executable exe afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd

  
Dropping
SHA256 afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd

Comments