MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 931e87f0d7546965a3376fc4c4891c6dc103e39d80d41b327c86fb9c0295fc7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 931e87f0d7546965a3376fc4c4891c6dc103e39d80d41b327c86fb9c0295fc7a
SHA3-384 hash: 69ed886d121b8033c93eb8d6c1ecec8e19995e53cf695b90497ec3cfcc29dc0bc7593ce73ca4f27213ddbc25d14b4f77
SHA1 hash: fb80ffac2192da279c05577df686717ab6a92fff
MD5 hash: 97662ef173a34d4186af3d4290f1a8eb
humanhash: lake-alaska-september-mirror
File name:97662ef173a34d4186af3d4290f1a8eb.bin.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:626'450 bytes
First seen:2023-08-11 14:45:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:+ToPWBv/cpGrU3yDT+tjIhaEuG2Gwz2eEZtxSxeICe:+TbBv5rUlIaG2GI5wIn5
Threatray 533 similar samples on MalwareBazaar
TLSH T156D4F103BDC1D5B2D4620832571A6B21793CBE202F65CEEFA7D43A5DD9221D0EB317A6
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://45.9.74.70/2BfwEn6KgTm/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
97662ef173a34d4186af3d4290f1a8eb.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-08-11 14:47:38 UTC
Tags:
amadey trojan
Link:
https://app.any.run/tasks/449ff64c-cebb-4f0a-9863-7f05b86bf519

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442174/
Detection(s):
Win.Malware.Fugrafa-9938779-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows directory
Running batch commands
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a file
Delayed reading of the file
Sending a custom TCP request
Adding an access-denied ACE
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102543/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/931e87f0d7546965a3376fc4c4891c6dc103e39d80d41b327c86fb9c0295fc7a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/37a8fd6f-890a-4169-a134-06d44c89be04
Result
Threat name:
Amadey, Xmrig, lolMiner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290102
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected lolMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290102 Sample: SzNV36Gpbb.exe Startdate: 11/08/2023 Architecture: WINDOWS Score: 100 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for dropped file 2->120 122 11 other signatures 2->122 13 SzNV36Gpbb.exe 5 2->13         started        16 yiueea.exe 2->16         started        18 yiueea.exe 2->18         started        20 3 other processes 2->20 process3 file4 98 C:\Windows\am.exe, PE32 13->98 dropped 22 cmd.exe 1 13->22         started        process5 signatures6 132 Drops executables to the windows directory (C:\Windows) and starts them 22->132 25 am.exe 4 22->25         started        29 conhost.exe 22->29         started        process7 file8 96 C:\Windows\1.exe, PE32 25->96 dropped 146 Multi AV Scanner detection for dropped file 25->146 148 Drops executables to the windows directory (C:\Windows) and starts them 25->148 31 1.exe 3 25->31         started        signatures9 process10 file11 100 C:\Users\user\AppData\Local\...\yiueea.exe, PE32 31->100 dropped 110 Antivirus detection for dropped file 31->110 112 Machine Learning detection for dropped file 31->112 114 Contains functionality to inject code into remote processes 31->114 35 yiueea.exe 25 31->35         started        signatures12 process13 dnsIp14 102 45.9.74.70 FIRST-SERVER-EU-ASRU Russian Federation 35->102 104 46.30.40.102 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 35->104 84 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 35->84 dropped 86 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 35->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\mn.exe, PE32 35->88 dropped 90 5 other malicious files 35->90 dropped 124 Antivirus detection for dropped file 35->124 126 Creates an undocumented autostart registry key 35->126 128 Machine Learning detection for dropped file 35->128 130 Uses schtasks.exe or at.exe to add and modify task schedules 35->130 40 p2p.exe 35->40         started        44 mn.exe 35->44         started        46 rundll32.exe 35->46         started        48 3 other processes 35->48 file15 signatures16 process17 file18 92 C:\ProgramData\Windows\p2pclient.exe, PE32 40->92 dropped 136 Multi AV Scanner detection for dropped file 40->136 50 wscript.exe 40->50         started        94 C:\ProgramData\Windows\host.exe, PE32+ 44->94 dropped 138 Machine Learning detection for dropped file 44->138 52 wscript.exe 44->52         started        54 rundll32.exe 46->54         started        57 conhost.exe 48->57         started        59 conhost.exe 48->59         started        61 cmd.exe 1 48->61         started        63 5 other processes 48->63 signatures19 process20 signatures21 65 cmd.exe 50->65         started        67 cmd.exe 52->67         started        134 Tries to harvest and steal browser information (history, passwords, etc) 54->134 69 WerFault.exe 54->69         started        process22 dnsIp23 72 p2pclient.exe 65->72         started        76 conhost.exe 65->76         started        78 host.exe 67->78         started        80 conhost.exe 67->80         started        82 cmd.exe 67->82         started        106 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 69->106 process24 dnsIp25 108 104.26.9.6 CLOUDFLARENETUS United States 72->108 140 Antivirus detection for dropped file 72->140 142 Multi AV Scanner detection for dropped file 72->142 144 Machine Learning detection for dropped file 78->144 signatures26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/931e87f0d7546965a3376fc4c4891c6dc103e39d80d41b327c86fb9c0295fc7a/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 14:46:07 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smpip4gxkruwlizxn7cmjci4nxaqhy45qdkbwmt4q35zyauv7r5a._file
Verdict:
malicious
Similar samples:
0c3e2f384b19e296f638c91f22b05f663ec9b0519c0a66efedf4690f0e22ef97
Amadey
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
Amadey
6bcf5705424ff9935c6dfd886e666af3cb2da930cfe82b0924b599f682b8f9bf
Amadey
82e31b9bef8bdc34385c82db1239f570fccdb0b96a8f1ae0dcd4fa7abcc9ca25
Amadey
bd98741688cd682de40435bf3acc408f069f83a6643e8ba2140b65d48d76f8cc
Amadey
cf96fa1da1fb359150e2e6d684a9457a7e01a794af2cbcdcdb23b67ceb1901ca
Amadey
eab9ab9842a9c34200c788c0318ff4da8ac4067a0ff5698c62507b3510efc930
Amadey
f1df003e684180821286734985d36cb53e877a027cb6cf3972dda22b1a52c679
Amadey
+ 523 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan upx
Link:
https://tria.ge/reports/230811-r5amzadh43/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Downloads MZ/PE file
Amadey
Malware Config
C2 Extraction:
45.9.74.70/2BfwEn6KgTm/index.php
3.88/2BfwEn6KgTm/index.php
Unpacked files
SH256 hash:
e5c2f3870c61e99f59b04b0a91144b16d347f0b6a273a4e059d53239ffa4f865
MD5 hash:
3d878db15e7dbf39134eab9c490c6998
SHA1 hash:
2844b4624aee2f5a00394747b67ede80f9d20d03
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/0f542a7d-c336-48f3-9272-e1dc77d5ca2c/
SH256 hash:
931e87f0d7546965a3376fc4c4891c6dc103e39d80d41b327c86fb9c0295fc7a
MD5 hash:
97662ef173a34d4186af3d4290f1a8eb
SHA1 hash:
fb80ffac2192da279c05577df686717ab6a92fff
Link:
https://www.unpac.me/results/0f542a7d-c336-48f3-9272-e1dc77d5ca2c/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/931e87f0d754/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/931e87f0d7546965a3376fc4c4891c6dc103e39d80d41b327c86fb9c0295fc7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442174/

Comments