MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838
SHA3-384 hash: 10fa96a9afb99ee0cc39e143cdff4360ebc0b5789946f76519705e50051976eb06e5895879e584a5a568f33fcf5a3157
SHA1 hash: 29fb85ff2debc2954594664d16e4d1bab003dac6
MD5 hash: 8ee1f079d9a51c02ea02d6fbd2300c0a
humanhash: illinois-sodium-kentucky-saturn
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'910'784 bytes
First seen:2024-08-18 04:10:26 UTC
Last seen:2024-08-18 04:17:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:jGj/4EN/s05Q4Agj2529yW5qZZiHQSQ7kQY0qA:j8Q6/sIQuU235AQQptY0qA
TLSH T119953388883309BDC5DD06BB9A9BB5A1FB5086513159B44C9B9BFBF79132B9C2434C3C
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
459
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-18 04:12:50 UTC
Tags:
amadey botnet stealer loader stealc metastealer themida redline cryptbot github lumma python
Link:
https://app.any.run/tasks/a7412d3b-4cb2-4aed-b4ac-b7c0ce2d26fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.5118.27721.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c17458aa5b40be0aa05933
Tags:
Discovery Execution Generic Infostealer Network Stealth Trojan Crypt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66c17457d07f13198dd34d3e/reports/250e2888-48b7-4fe5-a50e-ae4ede83399e/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6ddd49a4-91b7-4045-95c0-3812a61f4e73
Result
Threat name:
Amadey, Cryptbot, Go Injector, PureLog S
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494336
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
Yara detected Go Injector
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1494336 Sample: file.exe Startdate: 18/08/2024 Architecture: WINDOWS Score: 100 150 Multi AV Scanner detection for domain / URL 2->150 152 Found malware configuration 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 27 other signatures 2->156 11 axplong.exe 43 2->11         started        16 file.exe 5 2->16         started        18 axplong.exe 2->18         started        20 3 other processes 2->20 process3 dnsIp4 142 154.216.17.4 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 11->142 144 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->144 146 2 other IPs or domains 11->146 124 C:\Users\user\AppData\Local\...\Images.exe, PE32 11->124 dropped 126 C:\Users\user\AppData\...\mobiletrans.exe, PE32+ 11->126 dropped 128 C:\Users\user\AppData\Local\...\runtime.exe, PE32 11->128 dropped 134 17 other malicious files 11->134 dropped 206 Hides threads from debuggers 11->206 208 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->208 210 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 11->210 22 BattleGermany.exe 11->22         started        26 stealc_default.exe 11->26         started        29 crypteda.exe 1 11->29         started        35 5 other processes 11->35 130 C:\Users\user\AppData\Local\...\axplong.exe, PE32 16->130 dropped 132 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 16->132 dropped 212 Detected unpacking (changes PE section rights) 16->212 214 Tries to evade debugger and weak emulator (self modifying code) 16->214 216 Tries to detect virtualization through RDTSC time measurements 16->216 218 Potentially malicious time measurement code found 16->218 31 axplong.exe 16->31         started        220 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->220 33 Conhost.exe 20->33         started        file5 signatures6 process7 dnsIp8 106 C:\Users\user\AppData\Local\Temp\Tracked, data 22->106 dropped 118 7 other malicious files 22->118 dropped 180 Multi AV Scanner detection for dropped file 22->180 182 Writes many files with high entropy 22->182 37 cmd.exe 22->37         started        136 185.215.113.17 WHOLESALECONNECTIONSNL Portugal 26->136 108 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->108 dropped 110 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->110 dropped 112 C:\Users\user\AppData\...\mozglue[1].dll, PE32 26->112 dropped 120 9 other files (5 malicious) 26->120 dropped 184 Tries to steal Mail credentials (via file / registry access) 26->184 186 Found many strings related to Crypto-Wallets (likely being stolen) 26->186 198 4 other signatures 26->198 188 Antivirus detection for dropped file 29->188 190 Machine Learning detection for dropped file 29->190 200 3 other signatures 29->200 41 RegAsm.exe 29->41         started        43 conhost.exe 29->43         started        192 Detected unpacking (changes PE section rights) 31->192 194 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->194 202 4 other signatures 31->202 138 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 35->138 140 80.249.145.88 SELECTELRU Russian Federation 35->140 114 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 35->114 dropped 116 C:\Users\user\AppData\Local\Temp\Zinc, data 35->116 dropped 122 7 other malicious files 35->122 dropped 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->196 204 2 other signatures 35->204 45 RegAsm.exe 1 18 35->45         started        48 cmd.exe 35->48         started        50 Hkbsse.exe 35->50         started        file9 signatures10 process11 dnsIp12 98 C:\Users\user\AppData\Local\...\Community.pif, PE32 37->98 dropped 170 Drops PE files with a suspicious file extension 37->170 172 Uses schtasks.exe or at.exe to add and modify task schedules 37->172 174 Writes many files with high entropy 37->174 52 Community.pif 37->52         started        56 cmd.exe 37->56         started        58 conhost.exe 37->58         started        68 7 other processes 37->68 100 C:\Users\user\AppData\...\OCDW0t0tCX.exe, PE32 41->100 dropped 102 C:\Users\user\AppData\...\6xeeqrgiPd.exe, PE32 41->102 dropped 60 OCDW0t0tCX.exe 41->60         started        62 6xeeqrgiPd.exe 41->62         started        148 20.52.165.210 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->148 176 Installs new ROOT certificates 45->176 104 C:\Users\user\AppData\Local\...\Beijing.pif, PE32 48->104 dropped 64 tasklist.exe 48->64         started        66 conhost.exe 48->66         started        70 3 other processes 48->70 178 Multi AV Scanner detection for dropped file 50->178 file13 signatures14 process15 file16 90 C:\Users\user\AppData\Local\...\SkyPilot.pif, PE32 52->90 dropped 92 C:\Users\user\AppData\Local\...\SkyPilot.js, ASCII 52->92 dropped 94 C:\Users\user\AppData\Local\...\D, data 52->94 dropped 158 Drops PE files with a suspicious file extension 52->158 160 Writes to foreign memory regions 52->160 162 Writes many files with high entropy 52->162 164 Injects a PE file into a foreign processes 52->164 72 cmd.exe 52->72         started        74 schtasks.exe 52->74         started        96 C:\Users\user\AppData\Local\Temp\177479\s, data 56->96 dropped 166 Multi AV Scanner detection for dropped file 60->166 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 60->168 76 conhost.exe 60->76         started        78 conhost.exe 62->78         started        80 Conhost.exe 64->80         started        signatures17 process18 process19 82 conhost.exe 72->82         started        84 schtasks.exe 72->84         started        86 conhost.exe 74->86         started        process20 88 Conhost.exe 86->88         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-08-18 04:11:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4rgqqbqden434ccbyze5nsc7egjmptr4raeeq3p26umbvugpa4a._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:stealc botnet:14082024 botnet:816fa botnet:a51500 botnet:default botnet:fed3aa botnet:livetraffic credential_access defense_evasion discovery evasion execution infostealer persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/240818-eryfnavclb/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Indirect Command Execution
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Lumma Stealer, LummaC
Modifies WinLogon for persistence
RedLine
RedLine payload
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.16
20.52.165.210:39030
http://185.215.113.17
185.215.113.67:21405
88.99.151.68:7200
http://api.garageserviceoperation.com
https://potentioallykeos.shop/api
https://interactiedovspm.shop/api
https://charecteristicdxp.shop/api
https://cagedwifedsozm.shop/api
https://deicedosmzj.shop/api
https://southedhiscuso.shop/api
https://consciousourwi.shop/api
https://tenntysjuxmz.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9c0f3b67-cee9-4295-8c1a-c01ca197fe1c
Unpacked files
SH256 hash:
cac340d6f6160b1c20ed5ea26502404c7df4f65c6bda6827a938779ca36d2892
MD5 hash:
f56ca418c477d031e00e14e2cd60e58e
SHA1 hash:
4e1f427413951bd38ef09ddb6c783d9c26d018d1
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/39a5a536-d99a-4fae-9100-6f6e76a8576b/
SH256 hash:
9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838
MD5 hash:
8ee1f079d9a51c02ea02d6fbd2300c0a
SHA1 hash:
29fb85ff2debc2954594664d16e4d1bab003dac6
Link:
https://www.unpac.me/results/39a5a536-d99a-4fae-9100-6f6e76a8576b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/972268403019/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 9722684030191bcdf0420e324eb642f90c963e71e44042436fd7a8c0d6867838

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067427/
  
URLhaus
https://urlhaus.abuse.ch/url/3067442/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments