MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8
SHA3-384 hash: 94386be74f87751b634cd03e5e29e5fd21b0eb191e9b6608205a62fa1ca8376babc62ed86675b40e1d529e610820ef5b
SHA1 hash: dc3a407cf08c26511f22f256182d3a240630925c
MD5 hash: 713a645c9524d137db3c5547b12708f7
humanhash: virginia-foxtrot-uncle-hotel
File name:713a645c9524d137db3c5547b12708f7
Download: download sample
Signature Amadey
Create hunting rule
File size:1'930'752 bytes
First seen:2024-06-04 21:06:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:+EH2UPihkNjmmnXY6dpoK1FghSqqNUXpK74BGY1l:Ccjmmo6To+ehQUXA4BN1l
TLSH T121953307638346AFE9676934DF5A9888EAB595791C2FDBCE9C42B31744CF38817328D0
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8.exe
Verdict:
Malicious activity
Analysis date:
2024-06-04 21:08:03 UTC
Tags:
amadey botnet stealer opendir lumma loader evasion redline meta metastealer python exela miner silentcryptominer
Link:
https://app.any.run/tasks/53dea1f2-6456-44cb-903b-df652345d584

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.16818.29592.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665fad6b99632c3f74889d66win7simulatehigh_evasion
Tags:
Banker Network Stealth Crypt Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/665f81fceae3878d8f37db99/reports/800a62af-d2c7-424f-b1e5-59f0bd72fa93/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e3e52327-b4d7-499d-a4e3-72f169d54901
Result
Threat name:
LummaC, Python Stealer, Amadey, Monster
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1452030
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected generic credential text file
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the System eventlog
Send many emails (e-Mail Spam)
Sigma detected: Capture Wi-Fi password
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Snort IDS alert for network traffic
Tries to detect debuggers (CloseHandle check)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to resolve many domain names, but no domain seems valid
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Generic Python Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SystemBC
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1452030 Sample: DPqKF5vqpe.exe Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 142 securesmtp.raranride.xyz 2->142 144 out.raranride.xyz 2->144 146 636 other IPs or domains 2->146 178 Snort IDS alert for network traffic 2->178 180 Found malware configuration 2->180 182 Malicious sample detected (through community Yara rule) 2->182 186 27 other signatures 2->186 11 DPqKF5vqpe.exe 5 2->11         started        15 axplong.exe 2->15         started        17 axplong.exe 2->17         started        19 7 other processes 2->19 signatures3 184 Performs DNS queries to domains with low reputation 144->184 process4 dnsIp5 124 C:\Users\user\AppData\Local\...\axplong.exe, PE32 11->124 dropped 126 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 11->126 dropped 222 Detected unpacking (changes PE section rights) 11->222 224 Tries to evade debugger and weak emulator (self modifying code) 11->224 226 Tries to detect virtualization through RDTSC time measurements 11->226 228 Potentially malicious time measurement code found 11->228 22 axplong.exe 36 11->22         started        230 Hides threads from debuggers 15->230 232 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->232 234 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->234 150 185.43.220.45 WIBO-ASLT Lithuania 19->150 152 lostgeek.co.uk 51.148.131.93 ZEN-ASZenInternet-UKGB United Kingdom 19->152 154 96 other IPs or domains 19->154 236 Multi AV Scanner detection for dropped file 19->236 238 Machine Learning detection for dropped file 19->238 27 WerFault.exe 19->27         started        file6 signatures7 process8 dnsIp9 158 77.91.77.81, 49703, 49712, 49713 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 22->158 160 5.42.66.47, 49704, 49710, 49711 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 22->160 162 3 other IPs or domains 22->162 100 C:\Users\user\AppData\...\services64.exe, PE32+ 22->100 dropped 102 C:\Users\user\AppData\Local\...\lrthijawd.exe, PE32+ 22->102 dropped 104 C:\Users\user\AppData\Local\...\lumma123.exe, PE32 22->104 dropped 106 11 other malicious files 22->106 dropped 188 Antivirus detection for dropped file 22->188 190 Multi AV Scanner detection for dropped file 22->190 192 Detected unpacking (changes PE section rights) 22->192 194 6 other signatures 22->194 29 judit.exe 47 22->29         started        33 upd.exe 22->33         started        35 services64.exe 22->35         started        37 4 other processes 22->37 file10 signatures11 process12 dnsIp13 128 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 29->128 dropped 130 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 29->130 dropped 132 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 29->132 dropped 140 32 other files (31 malicious) 29->140 dropped 240 Multi AV Scanner detection for dropped file 29->240 242 Machine Learning detection for dropped file 29->242 244 Found many strings related to Crypto-Wallets (likely being stolen) 29->244 258 2 other signatures 29->258 40 stub.exe 29->40         started        246 Writes to foreign memory regions 33->246 260 2 other signatures 33->260 45 RegAsm.exe 33->45         started        47 RegAsm.exe 33->47         started        134 C:\ProgramData\...\WindowsAutHost, PE32+ 35->134 dropped 136 C:\Windows\System32\drivers\etc\hosts, ASCII 35->136 dropped 248 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->248 250 Query firmware table information (likely to detect VMs) 35->250 262 6 other signatures 35->262 49 powershell.exe 35->49         started        156 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 37->156 138 C:\Users\user\AppData\Local\Temp\...\work.exe, PE32+ 37->138 dropped 252 Antivirus detection for dropped file 37->252 254 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->254 256 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->256 264 3 other signatures 37->264 51 cmd.exe 37->51         started        53 RegAsm.exe 37->53         started        55 RegAsm.exe 37->55         started        57 2 other processes 37->57 file14 signatures15 process16 dnsIp17 164 208.95.112.1 TUT-ASUS United States 40->164 166 restores.name 52.143.157.238 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->166 168 2 other IPs or domains 40->168 108 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 40->108 dropped 110 C:\Users\user\AppData\...\system_info.txt, Algol 40->110 dropped 112 C:\Users\user\AppData\...\process_info.txt, ASCII 40->112 dropped 118 3 other malicious files 40->118 dropped 196 Multi AV Scanner detection for dropped file 40->196 198 Tries to harvest and steal browser information (history, passwords, etc) 40->198 200 Modifies the windows firewall 40->200 204 5 other signatures 40->204 59 cmd.exe 40->59         started        62 cmd.exe 40->62         started        64 cmd.exe 40->64         started        78 8 other processes 40->78 114 C:\Users\user\AppData\Roaming\...\svhoost.exe, PE32 45->114 dropped 116 C:\Users\user\AppData\Roaming\...\One.exe, PE32 45->116 dropped 66 svhoost.exe 45->66         started        69 One.exe 45->69         started        202 Loading BitLocker PowerShell Module 49->202 71 conhost.exe 49->71         started        73 work.exe 51->73         started        76 conhost.exe 51->76         started        file18 signatures19 process20 dnsIp21 206 Uses netsh to modify the Windows network and firewall settings 59->206 208 Tries to harvest and steal WLAN passwords 59->208 210 Uses attrib.exe to hide files 59->210 80 conhost.exe 59->80         started        82 powershell.exe 62->82         started        85 conhost.exe 62->85         started        96 2 other processes 64->96 148 185.172.128.33 NADYMSS-ASRU Russian Federation 66->148 212 Multi AV Scanner detection for dropped file 66->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 66->214 216 Installs new ROOT certificates 66->216 220 3 other signatures 66->220 218 Reads the System eventlog 69->218 87 conhost.exe 69->87         started        120 C:\Users\user\AppData\Local\...\jergs.exe, PE32 73->120 dropped 89 jergs.exe 73->89         started        92 systeminfo.exe 78->92         started        94 conhost.exe 78->94         started        98 13 other processes 78->98 file22 signatures23 process24 file25 170 Installs new ROOT certificates 82->170 122 C:\ProgramData\okili\peombdb.exe, PE32 89->122 dropped 172 Multi AV Scanner detection for dropped file 89->172 174 Machine Learning detection for dropped file 89->174 176 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 92->176 signatures26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8
Detection:
systembc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-04 21:07:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=symq2zyzhl4m4tascekqa6q3ov7gwwa7ghf7poub6t2ifcub76ua._file
Verdict:
malicious
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:systembc botnet:e76b71 botnet:newbild bootkit discovery evasion execution infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/240604-zybkpacb89/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Modifies Windows Defender Real-time Protection settings
Modifies security service
RedLine
RedLine payload
SystemBC
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.77.81
185.215.113.67:40960
Unpacked files
SH256 hash:
eaca23ddd452326967afe52ce9c250c5b71af1df906ad7d02f804c41045362d5
MD5 hash:
4c176b5383b46bcd8796cfe60675c548
SHA1 hash:
15fd11a030f65c8b2173047e8fa00cfab7e84f80
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/ded8f99c-80f4-404e-97a8-dd45daa553b4/
SH256 hash:
96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8
MD5 hash:
713a645c9524d137db3c5547b12708f7
SHA1 hash:
dc3a407cf08c26511f22f256182d3a240630925c
Link:
https://www.unpac.me/results/ded8f99c-80f4-404e-97a8-dd45daa553b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/96190d67193a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 96190d67193af8ce4c121115007a1b757e6b581f31cbf7ba81f4f4828a81ffa8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2874927/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-06-04 21:06:28 UTC

url : hxxp://77.91.77.81/soka/random.exe