MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92da2e2e8e08974077caf6411410950134b92d11707d3518d0df1f4809803aad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92da2e2e8e08974077caf6411410950134b92d11707d3518d0df1f4809803aad
SHA3-384 hash: dcffdfce50cf2782f942f481671868a22bf7b0cbecf7905edf3200452cad23a22af76654508bb5abbfadf5dd78da9f4a
SHA1 hash: a48ae8dac568d9110e93d0abfcd58f6764109b93
MD5 hash: ae8897b2eceb2e37da3e573dce22ce32
humanhash: bluebird-nevada-monkey-fish
File name:ae8897b2eceb2e37da3e573dce22ce32
Download: download sample
Signature Amadey
Create hunting rule
File size:7'227'392 bytes
First seen:2022-12-10 08:54:24 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b7591dfa4fbbd161e8564f9dd58a4133 (2 x Amadey)
ssdeep 196608:ZkBB4WRQcQsaa3V3zgvkOJ33mmsGne375wrKY0ZygiaV:ZkBBKBsaMIHJnmIniE0ZyCV
Threatray 337 similar samples on MalwareBazaar
TLSH T185763372126411D9E0D9CC358A3BFED470F5075F9E92BC7460DAAEE03A260E6F663643
TrID 32.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.3% (.EXE) Win32 Executable (generic) (4505/5/1)
14.8% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
10.0% (.EXE) OS/2 Executable (generic) (2029/13)
9.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344921/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.14352.6315.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63944969d4d7598ad904f9e9/reports/f5d62b1d-9ec3-43ed-a58e-bd39bd57ebf5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/119b68a3-6ee7-488d-af0a-78f68b42593b
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131908
Signature
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764630 Sample: IW08G8JRR2.dll Startdate: 10/12/2022 Architecture: WINDOWS Score: 100 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Amadeys stealer DLL 2->42 44 2 other signatures 2->44 8 loaddll32.exe 1 2->8         started        process3 signatures4 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->54 56 Tries to evade analysis by execution special instruction (VM detection) 8->56 58 Tries to detect virtualization through RDTSC time measurements 8->58 60 Hides threads from debuggers 8->60 11 rundll32.exe 8->11         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 3 other processes 8->19 process5 dnsIp6 34 85.209.135.109, 49700, 49703, 80 CMCSUS Germany 11->34 36 192.168.2.3, 138, 443, 49681 unknown unknown 11->36 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->62 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->64 66 Tries to steal Instant Messenger accounts or passwords 11->66 68 Tries to detect virtualization through RDTSC time measurements 11->68 70 Tries to steal Mail credentials (via file / registry access) 15->70 72 Tries to harvest and steal ftp login credentials 15->72 74 Hides threads from debuggers 15->74 21 WerFault.exe 9 15->21         started        76 System process connects to network (likely due to code injection or exploit) 17->76 23 rundll32.exe 19->23         started        26 WerFault.exe 2 9 19->26         started        28 WerFault.exe 19->28         started        signatures7 process8 signatures9 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->46 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->48 50 Tries to steal Instant Messenger accounts or passwords 23->50 52 2 other signatures 23->52 30 WerFault.exe 24 9 23->30         started        32 WerFault.exe 23->32         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92da2e2e8e08974077caf6411410950134b92d11707d3518d0df1f4809803aad/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=slnc4luobclua56k6zarieevae2lslirob6tkggq34puqcmahkwq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
Amadey
3534fd0b617be19bf24f9b7ff1e98ab23b98aef40bbc2413554a4ec5e016997e
Amadey
37af8d63e8e5adb5a5f30b471fe4e29f686c7923507583a21f46d3b2eb554f09
Amadey
56d901c98e235d2c02936b0553839e7fec6bec501097f87996a47da1f0ae501c
Amadey
682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
Amadey
ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1
Amadey
fd3f9ee2a7b4e35be97140818562dc4470f90705cbd959e87c07ed983692e33d
Amadey
+ 327 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection spyware stealer trojan
Link:
https://tria.ge/reports/221210-kvg6qsfc38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Reads local data of messenger clients
Amadey
Detect Amadey credential stealer module
Unpacked files
SH256 hash:
583fbc5c3d2925feb43548169c012dcb163201f686e1f5b27836efab241782b0
MD5 hash:
d30ab6b51b976b6a0c48b2b1749c60ae
SHA1 hash:
d0499948b800fd8b6a47df2d488e783002964adb
Link:
https://www.unpac.me/results/fa4359d2-a9ba-457c-a9b7-f1f070b7996c/
SH256 hash:
92da2e2e8e08974077caf6411410950134b92d11707d3518d0df1f4809803aad
MD5 hash:
ae8897b2eceb2e37da3e573dce22ce32
SHA1 hash:
a48ae8dac568d9110e93d0abfcd58f6764109b93
Link:
https://www.unpac.me/results/fa4359d2-a9ba-457c-a9b7-f1f070b7996c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92da2e2e8e08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/92da2e2e8e08974077caf6411410950134b92d11707d3518d0df1f4809803aad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

DLL dll 92da2e2e8e08974077caf6411410950134b92d11707d3518d0df1f4809803aad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2453349/
Cape
Cape
https://www.capesandbox.com/analysis/344921/

Comments


Avatar
zbet commented on 2022-12-10 08:54:30 UTC

url : hxxp://85.209.135.109/jg94cVd30f/Plugins/cred64.dll