MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a66c48842274fb709ecf6f58ba0db4a25ede3813c3a1fa8114c90fa443cbe51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	9a66c48842274fb709ecf6f58ba0db4a25ede3813c3a1fa8114c90fa443cbe51
SHA3-384 hash:	9bfc6a1cdb25445f0b66fb2621ea91caade196b0f26d4e39111f20a79c8624c18d520ac875fe03a15aeaf22e69f68eca
SHA1 hash:	47a974468f263e47c7547d5f8eea69d17e932d52
MD5 hash:	f16185080a8c12bc14de28c77c41c559
humanhash:	crazy-helium-bulldog-nuts
File name:	f16185080a8c12bc14de28c77c41c559.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	392'704 bytes
First seen:	2023-11-30 18:59:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	52c989b623059b029b98f089e46c54ff (2 x Smoke Loader, 2 x Tofsee, 1 x Stealc)
ssdeep	6144:+M8xDXKfVEVo3WgsrT0WQktIVXBIBGfg4:+rmIo3WDr0ktuXKMg4
TLSH	T195845C5383F17D44E9268B729F2FE6EC7B1DF2508E8A776912189E2F50B1276C263710
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00041c9644c98984 (1 x Amadey)
Reporter	abuse_ch
Tags:	Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

New Text Document.zip

Verdict:

Malicious activity

Analysis date:

2023-11-30 23:41:25 UTC

Tags:

opendir loader stealer grmsk agenttesla trojan lokibot lumma pureloader socks5systemz

Link:

https://app.any.run/tasks/e385ff8b-7a5b-4cdf-a3b6-7e47d77c0cb4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461478/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/9a66c48842274fb709ecf6f58ba0db4a25ede3813c3a1fa8114c90fa443cbe51

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a00385d9-a940-481e-8e33-4fec0c65c0f7

Result

Threat name:

Amadey

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1350738

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Instant Messenger accounts or passwords

Yara detected Amadeys stealer DLL

Yara detected Generic Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9a66c48842274fb709ecf6f58ba0db4a25ede3813c3a1fa8114c90fa443cbe51

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a66c48842274fb709ecf6f58ba0db4a25ede3813c3a1fa8114c90fa443cbe51/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-11-30 18:36:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 23 (95.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tjtmjccce5h3ocpm632yxig3jis63y4bhq5b7karjsipurb4xziq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/231130-xnm5magc58/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

79a2bee224d0b11bd7901e8e82665afbfadd2321ca5685374b7933292cf53abe

MD5 hash:

d761231b90175f471245d2fa50f358fa

SHA1 hash:

f3d2f74ff44baafd5b49433d0a39a0589ba2f0a2

Detections:

INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Link:

https://www.unpac.me/results/fd1d2a3c-7e47-4cd5-9dbc-100056b61ae1/

SH256 hash:

9a66c48842274fb709ecf6f58ba0db4a25ede3813c3a1fa8114c90fa443cbe51

MD5 hash:

f16185080a8c12bc14de28c77c41c559

SHA1 hash:

47a974468f263e47c7547d5f8eea69d17e932d52

Link:

https://www.unpac.me/results/fd1d2a3c-7e47-4cd5-9dbc-100056b61ae1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a66c48842274fb709ecf6f58ba0db4a25ede3813c3a1fa8114c90fa443cbe51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.