MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2
SHA3-384 hash: fe496ee081c2b0aec7ac391a9a5ead392f0590e57fc754281112d37030da4f6a1e45ac48bb8b03ca78ae7e0a93b806b6
SHA1 hash: e51cdeeb27fc904b552c2a7bf92ab4f144470b3b
MD5 hash: d6b9c5b223b21ced85fd9a5e8a6651ce
humanhash: uncle-florida-enemy-winner
File name:d6b9c5b223b21ced85fd9a5e8a6651ce.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'530'880 bytes
First seen:2023-10-30 17:42:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:yypRP7BkGAp+oxOXzDllxnwookK96Nj+2zkHDeOGvXdu8M/g+g7sKE:ZpRPEp+oKjC9oHaW/duTgo
Threatray 2'421 similar samples on MalwareBazaar
TLSH T14A65339286E05673FDB517310CF197E70F28BCB58635CA97A102A84E18B2AD1F1B17B7
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457150/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-10011425-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching cmd.exe command interpreter
Running batch commands
Forced shutdown of a system process
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653feb2a34de31f579ce212d/reports/7bba1015-d9a2-45e6-a8ef-6ecd8c721a58/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1d0ddef-f9ba-44b0-a8cc-ac90b1a7e7d2
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334417
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1334417 Sample: SCD96ZDebj.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 107 Snort IDS alert for network traffic 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 16 other signatures 2->113 11 SCD96ZDebj.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 4 other processes 2->18 process3 file4 89 C:\Users\user\AppData\Local\...\si6vA7BU.exe, PE32 11->89 dropped 91 C:\Users\user\AppData\Local\...\6hi54gD.exe, PE32 11->91 dropped 20 si6vA7BU.exe 1 4 11->20         started        process5 file6 75 C:\Users\user\AppData\Local\...\mn6XW3iI.exe, PE32 20->75 dropped 77 C:\Users\user\AppData\Local\...\5mP05nC.exe, PE32 20->77 dropped 115 Antivirus detection for dropped file 20->115 117 Machine Learning detection for dropped file 20->117 24 mn6XW3iI.exe 1 4 20->24         started        28 5mP05nC.exe 20->28         started        signatures7 process8 file9 83 C:\Users\user\AppData\Local\...\Zb9fO8yz.exe, PE32 24->83 dropped 85 C:\Users\user\AppData\Local\...\4WW137PO.exe, PE32 24->85 dropped 145 Antivirus detection for dropped file 24->145 147 Machine Learning detection for dropped file 24->147 30 Zb9fO8yz.exe 1 4 24->30         started        34 4WW137PO.exe 24->34         started        87 C:\Users\user\AppData\Local\...\explothe.exe, PE32 28->87 dropped 36 explothe.exe 28->36         started        signatures10 process11 dnsIp12 93 C:\Users\user\AppData\Local\...\qi6Lf1zc.exe, PE32 30->93 dropped 95 C:\Users\user\AppData\Local\...\3NL4jb96.exe, PE32 30->95 dropped 149 Antivirus detection for dropped file 30->149 151 Multi AV Scanner detection for dropped file 30->151 153 Machine Learning detection for dropped file 30->153 39 qi6Lf1zc.exe 1 4 30->39         started        43 3NL4jb96.exe 12 30->43         started        155 Writes to foreign memory regions 34->155 157 Allocates memory in foreign processes 34->157 159 Injects a PE file into a foreign processes 34->159 45 AppLaunch.exe 34->45         started        101 77.91.124.1, 49716, 49717, 49718 ECOTEL-ASRU Russian Federation 36->101 97 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 36->97 dropped 99 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 36->99 dropped 161 Creates an undocumented autostart registry key 36->161 163 Uses schtasks.exe or at.exe to add and modify task schedules 36->163 47 cmd.exe 36->47         started        49 schtasks.exe 36->49         started        51 rundll32.exe 36->51         started        file13 signatures14 process15 file16 79 C:\Users\user\AppData\Local\...\2Hn425GV.exe, PE32 39->79 dropped 81 C:\Users\user\AppData\Local\...\1Xy76aH5.exe, PE32 39->81 dropped 139 Antivirus detection for dropped file 39->139 141 Machine Learning detection for dropped file 39->141 53 1Xy76aH5.exe 39->53         started        56 2Hn425GV.exe 4 39->56         started        143 Tries to harvest and steal browser information (history, passwords, etc) 45->143 59 conhost.exe 47->59         started        61 cmd.exe 47->61         started        63 cacls.exe 47->63         started        67 4 other processes 47->67 65 conhost.exe 49->65         started        signatures17 process18 dnsIp19 119 Contains functionality to inject code into remote processes 53->119 121 Writes to foreign memory regions 53->121 123 Allocates memory in foreign processes 53->123 125 Injects a PE file into a foreign processes 53->125 69 AppLaunch.exe 53->69         started        72 AppLaunch.exe 12 53->72         started        103 77.91.124.86, 19084, 49706, 49715 ECOTEL-ASRU Russian Federation 56->103 127 Antivirus detection for dropped file 56->127 129 Multi AV Scanner detection for dropped file 56->129 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->131 133 2 other signatures 56->133 signatures20 process21 dnsIp22 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 69->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 69->137 105 193.233.255.73, 49705, 49710, 80 FREE-NET-ASFREEnetEU Russian Federation 72->105 signatures23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-30 17:43:08 UTC
File Type:
PE (Exe)
Extracted files:
193
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s53qtdinbxqgcbi5iap3l7gfqeqvilh7mtohwwx5hwnchvxjckra._file
Verdict:
malicious
Similar samples:
305653109239144203fae4638c4f7eead4a84928ded603244b35ed1dc07b69d6
Amadey
4cb429f2d4df1601088f0751401d5653b16942c84455340729337b003da5a71a
Amadey
696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6
Amadey
9c16ccf65f66a0df7c2fc5c818a668991cf58992eb43d60a74a18228b4dc2899
Amadey
b10276028f913fa2bdcddea46213402e0181c54b33ff4b0df693da8cca6687dc
Amadey
b8226c3a4abb0f0b72ca08b6f1b174cbf53f371ffeac2b1727111e80ed38c1d4
Amadey
ba2cf4bbcc174a35b0f807518bb824b698fa537acba3178034c73f8a637caf9c
Amadey
bc35ae2f98c180de5b834e020b1fc06a31da525192dbeb22109b1437981d71d8
Amadey
+ 2'411 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kinza infostealer persistence
Link:
https://tria.ge/reports/231030-wak8fagc66/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.86:19084
Unpacked files
SH256 hash:
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
MD5 hash:
e561df80d8920ae9b152ddddefd13c7c
SHA1 hash:
0d020453f62d2188f7a0e55442af5d75e16e7caf
Link:
https://www.unpac.me/results/ca98dba2-113d-4964-81a6-371f1218cc83/
SH256 hash:
aa5528539dfa090b64440fc5bc2ec26241767d5b46bf0cb9885e1298a28c09a9
MD5 hash:
2508e0abe50484987519304fac6258ef
SHA1 hash:
02a1f859b322a1abf02e2d30bf5492be3e19ec4c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ca98dba2-113d-4964-81a6-371f1218cc83/
Parent samples :
9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2
f5b56456c023f9abab5df3b60b4790a5541ddf8453769b6835ca43956770d423
19da55e79b51f767e1d73cd00cfdee786c42420ac4426c641a9dbdb29791c3bc
SH256 hash:
91be59718a67cbd041d9838efbbcacab9bc82bb81dc6dba84a78c2584c0cfa26
MD5 hash:
a0ab0b236c0d411abacf0896de81830e
SHA1 hash:
9a0ac092a08a14f440a30b853d99129285936c63
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/ca98dba2-113d-4964-81a6-371f1218cc83/
SH256 hash:
e60fd2a4c6c4baf018eaa241af734b1b78cf2d39b249b17e306db65133438e82
MD5 hash:
05e37ffd0a9f7c643b5fe3d3f9776ae9
SHA1 hash:
7ecc1ecb8bac487ea47461f1f8079785da772e94
Link:
https://www.unpac.me/results/ca98dba2-113d-4964-81a6-371f1218cc83/
SH256 hash:
390009a742f4210382925256b8f5677698f4526a729c7dfe67b9bee375a88242
MD5 hash:
533e2fb7c72d2c45f5335185a7146e66
SHA1 hash:
1db522043df468e39119b9f217965377053cd577
Link:
https://www.unpac.me/results/ca98dba2-113d-4964-81a6-371f1218cc83/
SH256 hash:
9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2
MD5 hash:
d6b9c5b223b21ced85fd9a5e8a6651ce
SHA1 hash:
e51cdeeb27fc904b552c2a7bf92ab4f144470b3b
Link:
https://www.unpac.me/results/ca98dba2-113d-4964-81a6-371f1218cc83/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9777098d0d0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9777098d0d0de061051d401fb5fcc58121542cff64dc7b5afd3d9a23d6e912a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457150/

Comments