MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93bbc7e0f489125883985855949ed8a0929d44b5fea0c17db9113fff830793c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93bbc7e0f489125883985855949ed8a0929d44b5fea0c17db9113fff830793c9
SHA3-384 hash: fb87b3edf22001796c897b6b051a48334f7f3123bb0508ba77ac3409cb97f583777673a78d9221b9e1e0c6e0c7055f7e
SHA1 hash: 9195efad68f77e91ff52476c5c7240ac63c10cc3
MD5 hash: 775fdafd6bd3f881be4791019e8605b1
humanhash: east-indigo-burger-queen
File name:775fdafd6bd3f881be4791019e8605b1
Download: download sample
Signature Amadey
Create hunting rule
File size:1'379'312 bytes
First seen:2022-02-01 16:43:38 UTC
Last seen:2022-02-01 19:09:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3aba06a7ec267b315e99972abb6cbba (1 x Amadey)
ssdeep 24576:CdFItoPC1/CH9lnnWwqznJRitQeowDAky:CvRPC1KdlxqznJRsQeoeAP
Threatray 317 similar samples on MalwareBazaar
TLSH T1F955122633A1C1CFE86819348C02A0F54B967C97AE75E19B7092BF4F54F5E82C87BB51
File icon (PE):PE icon
dhash icon da64ce6df0dbded8 (1 x Amadey, 1 x CoinMiner)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229248/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.28501.15332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Creating a file
Sending an HTTP POST request
Delayed reading of the file
DNS request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed upatre
Link:
https://www.filescan.io/uploads/61f9635ca0f6a794b330e5b8/reports/5729d522-4492-4de5-bf01-77ecae49f3fa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Deyma
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41cb207c-b319-4a19-beb0-5fa572fc9cf3
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931853
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicius Add Task From User AppData Temp
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 564328 Sample: Hlf35fELn8 Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 9 other signatures 2->58 8 Hlf35fELn8.exe 3 2->8         started        12 ytouk.exe 2->12         started        14 ytouk.exe 2->14         started        16 2 other processes 2->16 process3 file4 42 C:\Users\user\AppData\Local\...\ytouk.exe, PE32 8->42 dropped 76 Tries to evade analysis by execution special instruction which cause usermode exception 8->76 78 Hides threads from debuggers 8->78 18 ytouk.exe 17 8->18         started        signatures5 process6 dnsIp7 44 2.56.59.26 GBTCLOUDUS Netherlands 18->44 46 192.168.2.1 unknown unknown 18->46 38 C:\Users\user\AppData\Roaming\...\cred.dll, PE32 18->38 dropped 40 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 18->40 dropped 60 Multi AV Scanner detection for dropped file 18->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->62 64 Machine Learning detection for dropped file 18->64 66 4 other signatures 18->66 23 rundll32.exe 18->23         started        27 cmd.exe 1 18->27         started        29 schtasks.exe 1 18->29         started        file8 signatures9 process10 dnsIp11 48 194.190.152.209 RSHB-ASRU Russian Federation 23->48 50 192.168.2.3 unknown unknown 23->50 68 System process connects to network (likely due to code injection or exploit) 23->68 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->70 72 Tries to steal Instant Messenger accounts or passwords 23->72 74 2 other signatures 23->74 31 reg.exe 1 27->31         started        34 conhost.exe 27->34         started        36 conhost.exe 29->36         started        signatures12 process13 signatures14 80 Creates an undocumented autostart registry key 31->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93bbc7e0f489125883985855949ed8a0929d44b5fea0c17db9113fff830793c9/
Threat name:
Win32.Downloader.Deyma
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 16:44:12 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
20 of 28 (71.43%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
045480a084a090029c9f86b103e3f23b4e9e3923180c35d61eca933af3802060
Amadey
162a370d13beddcabc22b041e488b05a53e6eb44cb571fda3b5e276b330d28d3
Amadey
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
Amadey
780426de24ae46f300fdaf9cbf597c8f2164f7b6c525c0bbcc07dca087be768c
Amadey
90acaa47b45cdbeb06f4689e4e5412e5c1b3009c03911cddd4a0a8976f1acaf5
Amadey
944bf821a0bb44e9fb1c6a220bf692603e3e51a08b64757fb1891c990f43eb88
Amadey
98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb
Amadey
a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df
Amadey
ac0b18ae0851cf5cb499bdcba6bce5d260f114768425aeed65cf6086b27a323d
Amadey
c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
Amadey
+ 307 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220201-t8tlcshegq/
Unpacked files
SH256 hash:
5fe75013c6fbc1556b9d96e827abf41dda743119665612e570563ecd35f9015a
MD5 hash:
48cc5913a3aefe018d1994d531446bb4
SHA1 hash:
4299875b3807e25da8f147d197c1a21f639dc508
Link:
https://www.unpac.me/results/e1f92696-3150-47b4-a9a7-167b4498dcce/
SH256 hash:
93bbc7e0f489125883985855949ed8a0929d44b5fea0c17db9113fff830793c9
MD5 hash:
775fdafd6bd3f881be4791019e8605b1
SHA1 hash:
9195efad68f77e91ff52476c5c7240ac63c10cc3
Link:
https://www.unpac.me/results/e1f92696-3150-47b4-a9a7-167b4498dcce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/93bbc7e0f489125883985855949ed8a0929d44b5fea0c17db9113fff830793c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 93bbc7e0f489125883985855949ed8a0929d44b5fea0c17db9113fff830793c9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2021487/
Cape
Cape
https://www.capesandbox.com/analysis/229248/

Comments


Avatar
zbet commented on 2022-02-01 16:43:40 UTC

url : hxxp://coin-coin-file-9.com/files/1370_1643723097_549.exe