MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96031b07c965954b26e41ea34e914403ccb5b71b758841ad08a132f968c0a078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96031b07c965954b26e41ea34e914403ccb5b71b758841ad08a132f968c0a078
SHA3-384 hash: 1e7149ba18cbeff0b53320d5a2db0e996637f26764de0044408ef4b9731d88332faa490829990a357969f5879a8be6cd
SHA1 hash: dfe4190bd323d1b8f41b594325e4b72c5db0589b
MD5 hash: f6b6cc224bd5d781061c7550b2055c11
humanhash: xray-uniform-shade-batman
File name:f6b6cc224bd5d781061c7550b2055c11
Download: download sample
Signature Amadey
Create hunting rule
File size:619'008 bytes
First seen:2022-01-12 08:41:24 UTC
Last seen:2022-01-12 13:08:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3873e9f4c3f2553a2874ec7618ce21e (1 x RaccoonStealer, 1 x Amadey, 1 x RedLineStealer)
ssdeep 12288:LILn6MEfztqUnUxs9iIoDyJRj86dMDexWcAch4tUTc6CfGz:LcJEhqW6UiIouJRj8qMDeccFh4ec3fG
TLSH T136D4BE057781EA6EE44502F14834FD6C0DA659F1DBEF82F777B42E2E0D622D005B87AA
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f6b6cc224bd5d781061c7550b2055c11
Verdict:
Malicious activity
Analysis date:
2022-01-12 13:01:53 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/b5cdb7db-219e-40ec-8321-1fa0ed68ae85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218602/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.24797.10419.4194.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2db3620-b848-4d2a-9146-0aeb781fa724
Result
Threat name:
Amadey RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919050
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551527 Sample: LW3UTUMPHt Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 5 other signatures 2->61 10 LW3UTUMPHt.exe 2->10         started        13 mjlooy.exe 2->13         started        15 mjlooy.exe 2->15         started        process3 signatures4 81 Writes to foreign memory regions 10->81 83 Allocates memory in foreign processes 10->83 85 Injects a PE file into a foreign processes 10->85 17 AppLaunch.exe 15 7 10->17         started        87 Query firmware table information (likely to detect VMs) 13->87 89 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->89 process5 dnsIp6 47 77.232.40.51, 20166, 49731 EUT-ASEUTIPNetworkRU Russian Federation 17->47 49 gitlab.com 172.65.251.78, 443, 49749, 49761 CLOUDFLARENETUS United States 17->49 43 C:\Users\user\AppData\Local\Temp\axmed.exe, PE32 17->43 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->65 67 Tries to harvest and steal browser information (history, passwords, etc) 17->67 69 Tries to steal Crypto Currency Wallets 17->69 22 axmed.exe 3 17->22         started        file7 signatures8 process9 file10 45 C:\Users\user\AppData\Local\...\mjlooy.exe, PE32 22->45 dropped 73 Multi AV Scanner detection for dropped file 22->73 75 Query firmware table information (likely to detect VMs) 22->75 77 Machine Learning detection for dropped file 22->77 79 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->79 26 mjlooy.exe 19 22->26         started        signatures11 process12 dnsIp13 51 185.215.113.42, 49758, 49759, 49760 WHOLESALECONNECTIONSNL Portugal 26->51 53 gitlab.com 26->53 91 Multi AV Scanner detection for dropped file 26->91 93 Query firmware table information (likely to detect VMs) 26->93 95 Creates HTML files with .exe extension (expired dropper behavior) 26->95 97 3 other signatures 26->97 30 cmd.exe 1 26->30         started        32 schtasks.exe 1 26->32         started        34 WerFault.exe 9 26->34         started        signatures14 process15 process16 36 reg.exe 1 30->36         started        39 conhost.exe 30->39         started        41 conhost.exe 32->41         started        signatures17 71 Creates an undocumented autostart registry key 36->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96031b07c965954b26e41ea34e914403ccb5b71b758841ad08a132f968c0a078/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-11 12:02:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sybrwb6jmwkuwjxed2ru5ekeapgllny3oweedliiuezps2gaub4a._file
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey evasion spyware suricata trojan
Link:
https://tria.ge/reports/220112-kl1lqabhgp/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
suricata: ET MALWARE Amadey CnC Check-In
Malware Config
C2 Extraction:
185.215.113.42/f83jd823S/index.php
Unpacked files
SH256 hash:
05fea312b93c5f6711e9375735f42e0859ec89f3cc43e37207667dddff90b2db
MD5 hash:
6fa7443bb90d00a5c76804bf44009e8a
SHA1 hash:
89d64f7462126abf43cd80e35080624ae210be60
Link:
https://www.unpac.me/results/38efae60-c2c8-4aec-ab9f-ae57b8dfeb5b/
SH256 hash:
96031b07c965954b26e41ea34e914403ccb5b71b758841ad08a132f968c0a078
MD5 hash:
f6b6cc224bd5d781061c7550b2055c11
SHA1 hash:
dfe4190bd323d1b8f41b594325e4b72c5db0589b
Link:
https://www.unpac.me/results/38efae60-c2c8-4aec-ab9f-ae57b8dfeb5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96031b07c965954b26e41ea34e914403ccb5b71b758841ad08a132f968c0a078

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 96031b07c965954b26e41ea34e914403ccb5b71b758841ad08a132f968c0a078

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/218602/
  
URLhaus
https://urlhaus.abuse.ch/url/1970192/

Comments


Avatar
zbet commented on 2022-01-12 08:41:26 UTC

url : hxxp://data-host-coin-8.com/files/5085_1641876208_9248.exe