MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64
SHA3-384 hash: 276207cddd8d1ede528b0c61f306102b8ead73a887faf512752dc54a7c66a6f64caf6b49b3f4096eb15581197a1c969b
SHA1 hash: 12a8ac48d6ca6917d872c1c96e5d277c4dd842b3
MD5 hash: 31be2f115f41edc9983d957c33008b68
humanhash: thirteen-california-mobile-michigan
File name:31be2f115f41edc9983d957c33008b68.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'914'368 bytes
First seen:2024-03-28 18:53:15 UTC
Last seen:2024-03-28 20:22:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:ynktmVBAjAVQLaStMDTBf0Qizoq+4Q9l80UAoxLs:k6OVupkBMQgXp
Threatray 208 similar samples on MalwareBazaar
TLSH T12C95339184F78DB1C7764031DEC7A9103A3461C7CCBB4E161CABCF296E47F96221AB96
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64.exe
Verdict:
Malicious activity
Analysis date:
2024-03-28 19:06:54 UTC
Tags:
amadey botnet stealer loader
Link:
https://app.any.run/tasks/192dab7f-e3a7-4582-a25e-c4223c160b9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching the process to change network settings
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6605bd49391c61c4790de2bd/reports/449e186c-5ff0-4890-ae79-34bf2316572d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/37953722-df18-4bf4-9a1d-1f181cc734d3
Result
Threat name:
Amadey, PureLog Stealer, RedLine, RisePr
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417242
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417242 Sample: uQeIMs91Vh.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 107 ipinfo.io 2->107 109 db-ip.com 2->109 129 Snort IDS alert for network traffic 2->129 131 Found malware configuration 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 25 other signatures 2->135 10 explorgu.exe 2 41 2->10         started        15 uQeIMs91Vh.exe 5 2->15         started        17 MPGPH131.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 113 185.215.113.32, 49705, 49706, 49708 WHOLESALECONNECTIONSNL Portugal 10->113 115 193.233.132.216, 49715, 57893 FREE-NET-ASFREEnetEU Russian Federation 10->115 119 4 other IPs or domains 10->119 97 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->97 dropped 99 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->99 dropped 101 C:\Users\user\AppData\Local\...ljlre.exe, PE32 10->101 dropped 105 15 other malicious files 10->105 dropped 193 Antivirus detection for dropped file 10->193 195 Multi AV Scanner detection for dropped file 10->195 197 Detected unpacking (changes PE section rights) 10->197 213 2 other signatures 10->213 21 alex1234.exe 10->21         started        24 amadka.exe 10->24         started        27 random.exe 1 61 10->27         started        30 6 other processes 10->30 103 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 15->103 dropped 199 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->199 201 Tries to evade debugger and weak emulator (self modifying code) 15->201 203 Tries to detect virtualization through RDTSC time measurements 15->203 205 Machine Learning detection for dropped file 17->205 207 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->207 117 127.0.0.1 unknown unknown 19->117 209 Hides threads from debuggers 19->209 211 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->211 file6 signatures7 process8 dnsIp9 137 Multi AV Scanner detection for dropped file 21->137 139 Machine Learning detection for dropped file 21->139 155 3 other signatures 21->155 32 RegAsm.exe 21->32         started        35 conhost.exe 21->35         started        87 C:\Users\user\AppData\Local\...\explorha.exe, PE32 24->87 dropped 141 Antivirus detection for dropped file 24->141 143 Detected unpacking (changes PE section rights) 24->143 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->145 157 4 other signatures 24->157 37 explorha.exe 24->37         started        121 193.233.132.74, 49713, 49728, 49729 FREE-NET-ASFREEnetEU Russian Federation 27->121 123 ipinfo.io 34.117.186.192, 443, 49730 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 27->123 125 db-ip.com 104.26.5.15, 443, 49731 CLOUDFLARENETUS United States 27->125 89 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 27->89 dropped 91 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 27->91 dropped 93 C:\Users\user\...\0zqeQ3G_xSnIlTx83aknagy.zip, Zip 27->93 dropped 147 Tries to steal Mail credentials (via file / registry access) 27->147 159 6 other signatures 27->159 40 schtasks.exe 27->40         started        42 schtasks.exe 27->42         started        44 WerFault.exe 27->44         started        127 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 30->127 95 C:\Users\user\AppData\Roaming\Vhnczenzs.exe, PE32 30->95 dropped 149 System process connects to network (likely due to code injection or exploit) 30->149 151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->151 153 Creates an undocumented autostart registry key 30->153 161 4 other signatures 30->161 46 rundll32.exe 25 30->46         started        48 schtasks.exe 30->48         started        50 conhost.exe 30->50         started        file10 signatures11 process12 file13 81 C:\Users\user\AppData\Roaming\...\propro.exe, PE32 32->81 dropped 83 C:\Users\user\AppData\Roaming\...\Traffic.exe, PE32 32->83 dropped 52 propro.exe 32->52         started        56 Traffic.exe 32->56         started        58 cmd.exe 32->58         started        163 Antivirus detection for dropped file 37->163 165 Detected unpacking (changes PE section rights) 37->165 167 Machine Learning detection for dropped file 37->167 175 4 other signatures 37->175 60 conhost.exe 40->60         started        62 conhost.exe 42->62         started        169 Tries to steal Instant Messenger accounts or passwords 46->169 171 Uses netsh to modify the Windows network and firewall settings 46->171 173 Tries to harvest and steal ftp login credentials 46->173 177 2 other signatures 46->177 64 powershell.exe 46->64         started        67 netsh.exe 2 46->67         started        69 conhost.exe 48->69         started        signatures14 process15 dnsIp16 111 185.172.128.33, 49719, 8970 NADYMSS-ASRU Russian Federation 52->111 179 Multi AV Scanner detection for dropped file 52->179 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->181 183 Installs new ROOT certificates 52->183 191 2 other signatures 52->191 185 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 56->185 187 Reads the System eventlog 56->187 71 conhost.exe 56->71         started        73 conhost.exe 58->73         started        75 choice.exe 58->75         started        85 C:\Users\user\...\246122658369_Desktop.zip, Zip 64->85 dropped 189 Found many strings related to Crypto-Wallets (likely being stolen) 64->189 77 conhost.exe 64->77         started        79 conhost.exe 67->79         started        file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2024-03-28 18:09:24 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 36 (72.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tikhtowb6pcgkku3cr4y6ps5f3bm2sbzvvaecxihsym5egubfrsa._file
Verdict:
malicious
Similar samples:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
Amadey
12fb27d7a59c168a82317baa0b127b8a826cc98dd108fc37fd022d8a842b06bc
Amadey
8cb37e1ab48747e7fb63dd2ac1bffe1c9f0fa98c160613922a995935d6abd2cc
Amadey
96b2160da785abf50af26520f1bc1743e962f24bf983b5ddee8591bdedd0f035
Amadey
9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784
Amadey
9f0139fadc3ae86c62acc7c217e8e3ddbd5965c0784d64737874566ccd28920a
Amadey
cb348e8dbd6c518a9ad671a9fb235cea3eeba8b7036fc5498f6b118d4bc3060b
Amadey
d68a5d440931df383de62e3436f5f485ecd75b552e8b78065706a8c880828378
Amadey
dfa384f6136c43639f6c66766ca81c245e65a70fcf92015656b1cd7a579a3647
Amadey
e0063d0d5bebd7b349f970ec640d1e14ccba6e766999bfd630ac52e791e2dc65
Amadey
+ 198 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:risepro family:zgrat botnet:@oleh_psp botnet:jok123 discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240328-xj7cpsde5w/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
RedLine
RedLine payload
RisePro
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.32
http://193.233.132.56
185.172.128.33:8970
185.215.113.67:26260
Unpacked files
SH256 hash:
b8a6f3be063e2b9c8a00d5487ed31a42073f5570ac03acbedf3031f5a3d60d42
MD5 hash:
ba52e0294cb6e5dab2351ff583523f8e
SHA1 hash:
28ceb2a6b62623956949ddb492cde5466bb518d8
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/7acd3fd5-dfbf-4c8d-ad59-bd6679bc01a8/
SH256 hash:
9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64
MD5 hash:
31be2f115f41edc9983d957c33008b68
SHA1 hash:
12a8ac48d6ca6917d872c1c96e5d277c4dd842b3
Link:
https://www.unpac.me/results/7acd3fd5-dfbf-4c8d-ad59-bd6679bc01a8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9a1479bac1f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 9a1479bac1f3c4652a9b14798f3e5d2ec2cd4839ad40415d079619d21a812c64

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments