MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94892ae5c3bee71ad27491e1801b78af3789a15cacc1817de0a970854b841587. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94892ae5c3bee71ad27491e1801b78af3789a15cacc1817de0a970854b841587
SHA3-384 hash: d63de9e13a5aada509312dd463879edde4bafa503a0d3b90fea4db8fb76036e2eed9847d771f195c50b63cad082c0b37
SHA1 hash: 9a915074586344f727528a5fc63b86b6083e291b
MD5 hash: 903052dc4ec888f7f5bceb743304b9a2
humanhash: gee-nevada-spring-triple
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'012'096 bytes
First seen:2024-12-20 16:10:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:tjg19XLi+Kan8iuH0XVdZSsTHdrDquZtqcm0EkBUxOHx:tc197Ian8iuH0XVd0WdrGCBm0ViEx
TLSH T125D539B2A405A3CFD08A53789527CDC66E6D4BF9471048CB985CB5BBBEB3DC026B5C24
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
384
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2024-12-20 16:20:04 UTC
Tags:
amadey botnet stealer loader lumma themida opendir cryptbot github telegram stealc gcleaner credentialflusher auto coinminer arch-exec purecrypter netreactor antivm
Link:
https://app.any.run/tasks/6d21ccb7-e823-4ae3-b105-969163c1728a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6765971b8a4d48ee35fd6834
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67659718dfd3fc9d659df1b4/reports/af3596e2-d575-4de6-9937-b72695275108/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/94892ae5c3bee71ad27491e1801b78af3789a15cacc1817de0a970854b841587
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9d909152-ba7a-4ff8-b878-90c8ccefc439
Result
Threat name:
LummaC, Amadey, LummaC Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1579015
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected SystemBC
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579015 Sample: file.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 96 jlgenfekjlfnvtgpegkwr.xyz 2->96 98 treehoneyi.click 2->98 100 8 other IPs or domains 2->100 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 126 21 other signatures 2->126 12 skotes.exe 32 2->12         started        17 file.exe 5 2->17         started        19 wscript.exe 2->19         started        21 2 other processes 2->21 signatures3 124 Performs DNS queries to domains with low reputation 96->124 process4 dnsIp5 108 185.215.113.43, 49727, 49729, 49731 WHOLESALECONNECTIONSNL Portugal 12->108 110 194.126.174.112, 49730, 49776, 80 HVC-ASUS Netherlands 12->110 112 31.41.244.11, 49732, 49736, 49745 AEROEXPRESS-ASRU Russian Federation 12->112 84 C:\Users\user\AppData\...\9a2c1b4302.exe, PE32 12->84 dropped 86 C:\Users\user\AppData\...\ece32691cf.exe, PE32 12->86 dropped 88 C:\Users\user\AppData\...\1de5b2f311.exe, PE32 12->88 dropped 94 9 other malicious files 12->94 dropped 170 Hides threads from debuggers 12->170 172 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->172 174 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->174 23 Baursystempower.exe 4 12->23         started        27 ece32691cf.exe 12->27         started        30 8a32a8d958.exe 12->30         started        38 2 other processes 12->38 90 C:\Users\user\AppData\Local\...\skotes.exe, PE32 17->90 dropped 92 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 17->92 dropped 176 Detected unpacking (changes PE section rights) 17->176 178 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->178 180 Tries to evade debugger and weak emulator (self modifying code) 17->180 182 Tries to detect virtualization through RDTSC time measurements 17->182 32 skotes.exe 17->32         started        184 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->184 34 Target.exe 19->34         started        186 Contains functionality to start a terminal service 21->186 36 Gxtuum.exe 21->36         started        file6 signatures7 process8 dnsIp9 70 C:\Users\user\AppData\Roaming\Target.exe, PE32 23->70 dropped 72 C:\Users\user\AppData\Roaming\...\Target.vbs, ASCII 23->72 dropped 132 Contains functionality to start a terminal service 23->132 134 Machine Learning detection for dropped file 23->134 136 Found many strings related to Crypto-Wallets (likely being stolen) 23->136 148 2 other signatures 23->148 40 Baursystempower.exe 23->40         started        104 treehoneyi.click 104.21.91.209, 443, 49795, 49803 CLOUDFLARENETUS United States 27->104 138 Antivirus detection for dropped file 27->138 140 Multi AV Scanner detection for dropped file 27->140 142 Detected unpacking (changes PE section rights) 27->142 150 3 other signatures 27->150 106 discokeyus.lat 172.67.197.170, 443, 49740, 49744 CLOUDFLARENETUS United States 30->106 144 Query firmware table information (likely to detect VMs) 30->144 152 2 other signatures 30->152 146 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 32->146 154 2 other signatures 32->154 44 Target.exe 34->44         started        156 2 other signatures 38->156 46 87c402ca32.exe 38->46         started        49 1de5b2f311.exe 38->49         started        51 conhost.exe 38->51         started        53 1de5b2f311.exe 38->53         started        file10 signatures11 process12 dnsIp13 74 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 40->74 dropped 158 Contains functionality to start a terminal service 40->158 55 Gxtuum.exe 40->55         started        114 lossekniyyt.click 172.67.131.246, 443, 49733, 49735 CLOUDFLARENETUS United States 46->114 160 Query firmware table information (likely to detect VMs) 46->160 162 Found many strings related to Crypto-Wallets (likely being stolen) 46->162 164 Tries to steal Crypto Currency Wallets 46->164 116 pancakedipyps.click 104.21.23.76, 443, 49775, 49780 CLOUDFLARENETUS United States 49->116 166 Tries to harvest and steal ftp login credentials 49->166 168 Tries to harvest and steal browser information (history, passwords, etc) 49->168 file14 signatures15 process16 signatures17 128 Contains functionality to start a terminal service 55->128 130 Machine Learning detection for dropped file 55->130 58 Gxtuum.exe 55->58         started        process18 dnsIp19 102 cobolrationumelawrtewarms.com 89.35.131.209, 49757, 49767, 49793 INTERSAT-ASIonRatiunr33RO Romania 58->102 76 C:\Users\user\AppData\...\Autosoundmick.exe, PE32 58->76 dropped 78 C:\Users\user\...\Bestsoundeffectives.exe, PE32 58->78 dropped 80 C:\Users\user\...\Autosoundmick[1].exe, PE32 58->80 dropped 82 C:\Users\user\...\Bestsoundeffectives[1].exe, PE32 58->82 dropped 62 Bestsoundeffectives.exe 58->62         started        file20 process21 signatures22 188 Machine Learning detection for dropped file 62->188 65 Bestsoundeffectives.exe 62->65         started        process23 file24 68 C:\ProgramData\wtkb\qcwew.exe, PE32 65->68 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94892ae5c3bee71ad27491e1801b78af3789a15cacc1817de0a970854b841587
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94892ae5c3bee71ad27491e1801b78af3789a15cacc1817de0a970854b841587/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-12-20 16:11:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssesvzodx3trvutushqyag3yv43ytik4vtayc7pavfyiks4ecwdq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
gcleaner
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:vidar botnet:9c9aa5 credential_access discovery evasion execution persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/241220-tmxqwsyqdt/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Malware Config
C2 Extraction:
http://185.215.113.43
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91ebf4a2-01e6-41c2-8b7c-68922fdc04b0
Unpacked files
SH256 hash:
b9963cb5bc6b4f91fa462d073e8fc60fd1f469f5f9d53f93ba2529763e89aa57
MD5 hash:
3459f17abd50fc652c071fd54ecee59b
SHA1 hash:
a2e6844ca89880e13d3e65d639b6453860393fa4
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/d4c3131a-5feb-4ed6-8c15-09307a4f6cf8/
SH256 hash:
94892ae5c3bee71ad27491e1801b78af3789a15cacc1817de0a970854b841587
MD5 hash:
903052dc4ec888f7f5bceb743304b9a2
SHA1 hash:
9a915074586344f727528a5fc63b86b6083e291b
Link:
https://www.unpac.me/results/d4c3131a-5feb-4ed6-8c15-09307a4f6cf8/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94892ae5c3be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 94892ae5c3bee71ad27491e1801b78af3789a15cacc1817de0a970854b841587

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments