MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95c7efe4302f3ef6759cc6af567e196ef27eb66af28f8ac4178b53a6a1fe7e00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95c7efe4302f3ef6759cc6af567e196ef27eb66af28f8ac4178b53a6a1fe7e00
SHA3-384 hash: 4208c9b53c0f00042d624380762bd59d546bdb9f7fb580f29d06984166d65683b6833ddbaaeb0b7a223de60d501e29c1
SHA1 hash: 872d6628f1b06f5a5941b1eae29547d8e2831c44
MD5 hash: 473bd09029b825ba5395ddecf5117fab
humanhash: missouri-three-india-fix
File name:473bd09029b825ba5395ddecf5117fab.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:961'536 bytes
First seen:2023-10-21 10:35:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7ba208feadbc5004adbbe24711c2488 (6 x RedLineStealer, 5 x Amadey, 1 x Backdoor.TeamViewer)
ssdeep 12288:ZdxSVoPOHiJMRxxcZ541BYlLckufEjWky8ot1QyuG/yuD3rCJQewJ:hPOHiJMRxxcZ54bGcNfEjXU1GQ
Threatray 2'194 similar samples on MalwareBazaar
TLSH T130157C2139C18136EDF310FB87ECBA3986ADE4B0075912DB16D856EED7606D23F32592
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
5.252.176.32:3306

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
473bd09029b825ba5395ddecf5117fab.exe
Verdict:
Malicious activity
Analysis date:
2023-10-21 10:48:15 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/ee24458e-66dd-48e3-b093-36c7c27cf495

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Pwsx-10011340-0
Create hunting rule

Win.Trojan.Trojanx-10011459-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin smokeloader
Link:
https://www.filescan.io/uploads/6533a9a05f371a3fc85df285/reports/abdf6f0b-1d91-424b-b99b-adfbf4852e6d/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/95c7efe4302f3ef6759cc6af567e196ef27eb66af28f8ac4178b53a6a1fe7e00
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e6d2317-6812-40bc-bd6b-4802015111a1
Result
Threat name:
Amadey, Glupteba, LummaC Stealer, Mystic
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329643
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329643 Sample: 743Om3cylt.exe Startdate: 21/10/2023 Architecture: WINDOWS Score: 100 161 www.google.com 2->161 163 transfer.sh 2->163 165 8 other IPs or domains 2->165 199 Snort IDS alert for network traffic 2->199 201 Found malware configuration 2->201 203 Malicious sample detected (through community Yara rule) 2->203 205 18 other signatures 2->205 15 743Om3cylt.exe 1 2->15         started        18 svchost.exe 2->18         started        21 fdibbcs 2->21         started        23 explothe.exe 2->23         started        signatures3 process4 dnsIp5 257 Contains functionality to inject code into remote processes 15->257 259 Writes to foreign memory regions 15->259 261 Allocates memory in foreign processes 15->261 263 Injects a PE file into a foreign processes 15->263 25 AppLaunch.exe 15->25         started        28 conhost.exe 15->28         started        167 127.0.0.1 unknown unknown 18->167 signatures6 process7 signatures8 235 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->235 237 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->237 239 Maps a DLL or memory area into another process 25->239 241 2 other signatures 25->241 30 explorer.exe 56 36 25->30 injected process9 dnsIp10 187 5.42.65.80, 49760, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 30->187 189 77.91.68.29, 49717, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 30->189 191 5 other IPs or domains 30->191 153 C:\Users\user\AppData\Local\Temp\FC0A.exe, PE32 30->153 dropped 155 C:\Users\user\AppData\Local\Temp\F449.exe, PE32 30->155 dropped 157 C:\Users\user\AppData\Local\TempED9.exe, PE32 30->157 dropped 159 12 other files (11 malicious) 30->159 dropped 193 System process connects to network (likely due to code injection or exploit) 30->193 195 Benign windows process drops PE files 30->195 197 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->197 35 CC28.exe 4 30->35         started        39 21F2.exe 30->39         started        41 E6CA.exe 30->41         started        43 9 other processes 30->43 file11 signatures12 process13 dnsIp14 115 C:\Users\user\AppData\Local\...\Yv9Iq9Uz.exe, PE32 35->115 dropped 117 C:\Users\user\AppData\Local\...\6nW39CU.exe, PE32 35->117 dropped 207 Antivirus detection for dropped file 35->207 209 Multi AV Scanner detection for dropped file 35->209 211 Machine Learning detection for dropped file 35->211 46 Yv9Iq9Uz.exe 4 35->46         started        119 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 39->119 dropped 121 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 39->121 dropped 123 C:\Users\user\AppData\Local\Temp\kos2.exe, PE32 39->123 dropped 125 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 39->125 dropped 213 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->213 50 31839b57a4f11171d6abc8bbc4451ee4.exe 39->50         started        52 kos2.exe 39->52         started        54 toolspub2.exe 39->54         started        127 C:\Users\user\AppData\Local\...\explothe.exe, PE32 41->127 dropped 56 explothe.exe 41->56         started        175 185.196.9.65, 49766, 80 SIMPLECARRIERCH Switzerland 43->175 177 77.91.124.55, 19071 ECOTEL-ASRU Russian Federation 43->177 179 5 other IPs or domains 43->179 215 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->215 217 Found many strings related to Crypto-Wallets (likely being stolen) 43->217 219 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->219 221 2 other signatures 43->221 59 chrome.exe 43->59         started        61 chrome.exe 43->61         started        63 chrome.exe 43->63         started        65 6 other processes 43->65 file15 signatures16 process17 dnsIp18 141 C:\Users\user\AppData\Local\...\lC7EY8RZ.exe, PE32 46->141 dropped 143 C:\Users\user\AppData\Local\...\5kg44bc.exe, PE32 46->143 dropped 265 Antivirus detection for dropped file 46->265 267 Multi AV Scanner detection for dropped file 46->267 269 Machine Learning detection for dropped file 46->269 67 lC7EY8RZ.exe 4 46->67         started        271 Detected unpacking (changes PE section rights) 50->271 273 Detected unpacking (overwrites its own PE header) 50->273 275 Found Tor onion address 50->275 145 C:\Users\user\AppData\Local\Temp\set16.exe, PE32 52->145 dropped 147 C:\Users\user\AppData\Local\Temp\K.exe, PE32 52->147 dropped 277 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->277 279 Sample uses process hollowing technique 54->279 281 Injects a PE file into a foreign processes 54->281 169 77.91.124.1, 49743, 49744, 49750 ECOTEL-ASRU Russian Federation 56->169 149 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 56->149 dropped 151 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 56->151 dropped 283 Creates an undocumented autostart registry key 56->283 285 Uses schtasks.exe or at.exe to add and modify task schedules 56->285 71 cmd.exe 56->71         started        73 schtasks.exe 56->73         started        75 rundll32.exe 56->75         started        171 192.168.2.5, 14433, 19071, 4341 unknown unknown 59->171 173 239.255.255.250 unknown Reserved 59->173 77 chrome.exe 59->77         started        80 chrome.exe 59->80         started        82 chrome.exe 59->82         started        287 Found many strings related to Crypto-Wallets (likely being stolen) 61->287 84 chrome.exe 63->84         started        86 2 other processes 65->86 file19 signatures20 process21 dnsIp22 129 C:\Users\user\AppData\Local\...\Bk9Yf2ib.exe, PE32 67->129 dropped 131 C:\Users\user\AppData\Local\...\4PP120Nf.exe, PE32 67->131 dropped 223 Antivirus detection for dropped file 67->223 225 Multi AV Scanner detection for dropped file 67->225 227 Machine Learning detection for dropped file 67->227 88 Bk9Yf2ib.exe 4 67->88         started        92 conhost.exe 71->92         started        94 cmd.exe 71->94         started        96 cacls.exe 71->96         started        100 4 other processes 71->100 98 conhost.exe 73->98         started        181 part-0012.t-0009.fb-t-msedge.net 13.107.226.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 77->181 183 clients.l.google.com 172.253.122.101, 443, 49724 GOOGLEUS United States 77->183 185 14 other IPs or domains 77->185 file23 signatures24 process25 file26 137 C:\Users\user\AppData\Local\...\DH6RB5lU.exe, PE32 88->137 dropped 139 C:\Users\user\AppData\Local\...\3by5MD51.exe, PE32 88->139 dropped 243 Antivirus detection for dropped file 88->243 245 Multi AV Scanner detection for dropped file 88->245 247 Machine Learning detection for dropped file 88->247 102 DH6RB5lU.exe 4 88->102         started        106 Conhost.exe 92->106         started        signatures27 process28 file29 133 C:\Users\user\AppData\Local\...\2Ze484sG.exe, PE32 102->133 dropped 135 C:\Users\user\AppData\Local\...\1Ku25OO5.exe, PE32 102->135 dropped 229 Antivirus detection for dropped file 102->229 231 Multi AV Scanner detection for dropped file 102->231 233 Machine Learning detection for dropped file 102->233 108 1Ku25OO5.exe 1 102->108         started        111 2Ze484sG.exe 102->111         started        signatures30 process31 signatures32 249 Antivirus detection for dropped file 108->249 251 Multi AV Scanner detection for dropped file 108->251 253 Machine Learning detection for dropped file 108->253 255 3 other signatures 108->255 113 conhost.exe 108->113         started        process33
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/95c7efe4302f3ef6759cc6af567e196ef27eb66af28f8ac4178b53a6a1fe7e00
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/95c7efe4302f3ef6759cc6af567e196ef27eb66af28f8ac4178b53a6a1fe7e00/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-10-21 01:13:59 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxd67zbqf47pm5m4y2xvm7qzn3zh5ntk6khyvraxrnj2nip6pyaa._file
Verdict:
malicious
Similar samples:
2e2208d8929729766d184b02f6030a0b77fb560c1bfbb69e2c56479623083675
Amadey
4cc8908c16393b39793fee6022224b5a8e7bfc4aeb2bd7e4e1532af20ea018e7
Amadey
58448c417657e36527847d43cb0adc5e910b8e5211cbf8b3fc35c52b59332c53
Amadey
753e3781aec1907cc7a901646a9b847ff8e47e9f43d4e70b4732ca1ece335527
Amadey
75ec6c815f4ca762223a0ad901defff84ae8338f4ad9970a7a606bdb1514fd99
Amadey
9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff
Amadey
a45f029880d68f5aecdd4ff22d8b74181e32697a2c2a4e92066d71bf2067f3b8
Amadey
eadfa96ccc8310d66e17163dca4825b97b5ca5d510faf53449a85caafdc66809
Amadey
f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3
Amadey
fd42fff03752fe763d0e90f0c164ad376edaf3c24b7bc872c70ecf236ebf9f10
Amadey
+ 2'184 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:5141679758_99 botnet:pixelscloud2.0 botnet:rapta botnet:up3 botnet:wolfa botnet:yt&team cloud backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231021-mm9l5aff44/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
Amadey
DcRat
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.55:19071
http://77.91.124.1/theme/index.php
85.209.176.128:80
https://pastebin.com/raw/8baCJyMF
http://host-file-host6.com/
http://host-host-file8.com/
185.216.70.238:37515
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95c7efe4302f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95c7efe4302f3ef6759cc6af567e196ef27eb66af28f8ac4178b53a6a1fe7e00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Author:qux
Description:Detects exe does not have import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 95c7efe4302f3ef6759cc6af567e196ef27eb66af28f8ac4178b53a6a1fe7e00

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2719350/
  
Delivery method
Distributed via web download

Comments