MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b
SHA3-384 hash: 8ce7736c502a2c1828e4143052b3ac86b2a66742bfcede53131ac4ac18ff2c5c921b11c5c80606ea2b695b0804c2f598
SHA1 hash: 25a93d773872dfccb38d94d63ce5fcbbb379deeb
MD5 hash: ac95ae06dc1933e0a8b1f89d9b71146c
humanhash: eight-georgia-pennsylvania-oxygen
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'626'624 bytes
First seen:2023-07-14 00:10:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:9KpTmUqFyMKhUNHWnPj0imS2UZ0R+gKueUFnpzX:Kpq8MKhUiPj0HSTYRKY
Threatray 3'348 similar samples on MalwareBazaar
TLSH T11E75238AB3CA4472D9B017704AFB42C31B3BFC649421C72F2B9DDE560EB6A51953076E
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://77.91.124.40/info/photo540.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-14 00:11:20 UTC
Tags:
redline
Link:
https://app.any.run/tasks/4221aa38-8890-4a01-86f5-330bcd2bbd36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418533/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Launching a service
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97511/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin mokes packed rundll32 setupapi shell32 xpack
Link:
https://www.filescan.io/uploads/64b09296057bff26cf238d88/reports/7bd23421-5fd3-4f8a-8fba-7a14c512d906/overview
Verdict:
Malicious
Labled as:
TR/Disabler.ocayi
Link:
https://www.hybrid-analysis.com/sample/9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdf45b4c-94af-46f3-94da-66fe29852f55
Result
Threat name:
Amadey, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272826
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Yara detected Amadeys stealer DLL
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272826 Sample: file.exe Startdate: 14/07/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Antivirus detection for URL or domain 2->56 58 Antivirus detection for dropped file 2->58 60 10 other signatures 2->60 10 file.exe 1 4 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 2 other processes 2->17 process3 file4 46 C:\Users\user\AppData\Local\...\v8841558.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\...\e9728620.exe, PE32 10->48 dropped 19 v8841558.exe 1 4 10->19         started        process5 file6 38 C:\Users\user\AppData\Local\...\v3046867.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Local\...\d4172642.exe, PE32 19->40 dropped 62 Antivirus detection for dropped file 19->62 64 Machine Learning detection for dropped file 19->64 23 v3046867.exe 1 4 19->23         started        signatures7 process8 file9 42 C:\Users\user\AppData\Local\...\v7024597.exe, PE32 23->42 dropped 44 C:\Users\user\AppData\Local\...\c6320704.exe, PE32 23->44 dropped 66 Antivirus detection for dropped file 23->66 68 Machine Learning detection for dropped file 23->68 27 v7024597.exe 1 4 23->27         started        signatures10 process11 file12 50 C:\Users\user\AppData\Local\...\b3975368.exe, PE32 27->50 dropped 52 C:\Users\user\AppData\Local\...\a3499513.exe, PE32 27->52 dropped 70 Antivirus detection for dropped file 27->70 72 Machine Learning detection for dropped file 27->72 31 a3499513.exe 9 2 27->31         started        34 b3975368.exe 1 1 27->34         started        signatures13 process14 signatures15 74 Found evasive API chain (may stop execution after checking mutex) 31->74 76 Machine Learning detection for dropped file 31->76 78 Disable Windows Defender notifications (registry) 31->78 80 Disable Windows Defender real time protection (registry) 31->80 36 conhost.exe 31->36         started        82 Antivirus detection for dropped file 34->82 84 Multi AV Scanner detection for dropped file 34->84 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 00:11:10 UTC
File Type:
PE (Exe)
Extracted files:
150
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tonccexqepka44trq2iapjkjvvo26ky3ftyrxksn7g7gqnnllufq._file
Verdict:
malicious
Similar samples:
03fb2ba7da77571e9ecc3e534ccc8fa996603f08533ccc57228618fa8e54da58
Amadey
06aa6cd652ec1f65fe845118634b1a5f64e0ca5c3cfa09dc87b9da96cd5962cc
Amadey
1ff27bd5380a872c2a78541546f4a0b42e8b742b9383ada439f82d0bf6ecf503
Amadey
23855d76ecc898382cded44ff980a293d847a1e95f271a01da9312ae49cd7ed3
Amadey
31b26a826ad9c12d2be7c177e2fc192c80bc627ad2b5c41830479e3f947dc7d1
Amadey
39af393ac4408f17488da9eabbc6fc83cadb350cab960921145f8436ab404a74
Amadey
3d257767ee9c233cea2acdb0d288f66250cfb4b36fc6f57d30bef6f785627e6d
Amadey
40466ed58c6e1c69bd8a5e5b9863f5de08058c15b40861fbc28f983ca43417b4
Amadey
b310fea18e250cca3d8c56809ca66f446bbc42dc82cc5294fe70884d2bc0fc65
Amadey
edd1d364c905d91362827fcdcdda182b85c85063a263348c5514bb35f5189a23
Amadey
+ 3'338 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:healer family:redline botnet:masha dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230714-agllwsbf52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Windows security modification
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.68.48:19071
Unpacked files
SH256 hash:
21d154fdc00ce6d1e429eff6ed9f138753b572c3f8b252364246ccb3a9c716d3
MD5 hash:
57c523dc02c1c48e53e2041b4b9201e4
SHA1 hash:
abea6c493b2f906673f708d8271dd1a62c664ebd
Link:
https://www.unpac.me/results/39c7e46d-ce00-449b-afda-76581b5c1efa/
SH256 hash:
97942592e91ed3c6dd69c7b0e3598a7ad0736b0cb29ff287b74a392083128061
MD5 hash:
cc457b80a68241c27ad0a6bd3c461ee4
SHA1 hash:
93af1732fdb058f9d957ac3d3b77ab906df82f70
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/39c7e46d-ce00-449b-afda-76581b5c1efa/
Parent samples :
b6d83a8539deb9fe1e5e8755b038e3f71973f7601331e4de3c12097103ce9f11
6ad1b4e778c0cebc1dbedb5c7158dd636d4de0c22699c58dc9e7a35fe7f99478
238cf34068243dfceb3e084a6ac79b8dc96a36e2c6158583f3548f48628df448
98b4f1668de0f64afaa0cd987f32b5c36a8617402d3c0581d3e1f4e876d00eda
8e0312036e80094d71ab7b0183f435113271951f4901d5259c7da33133672d34
37d9567a6f8d980a430dcbb9da4ad2f18f0cd11e91235e670ebfed4d8214e7e3
1a94e2705b81a2d20d9ae7925bee69b12827201dd5726c17deb1a1887fa18567
1c6b11160053d2f90528cae8f07dfef29fa2c7a6522658c27430eb635c664a7f
0f83772323c355c872b6f4651468c25553e45e34e65af08963b68687254c8de0
5b53dfaf3ea076fc97a1624502ffcde5485dd481b4f9e9bceb10483d759f499c
bfea7c574075018a09a26275906b5ca0acfca42ef6cc39d48927505dfef9b31e
273f3ab708a3c5105ba00e249d695fcd21c9ad1a005a1d636e96212aa73e4ef8
71c686d2bcd2347221c301756987b5c9157c09dbd03f7075ff5072b096f33844
c67129b336a4c8cea90b36eafcf4c2cd3084cefefc649e7c62e5890522e7a4ab
e6050ee86f6fd1d9e26f5094ab9e2ba52975d875f0e275e1278c44a9789745c0
be50af163cd1b4a8f97ce881f1cdf1a089dce08d4fb4ef5211518604cc51c06a
6cd7d9864a981336a0c1622c117edb43220b1918aa2e14379c0cd285f64fa41a
5072ac92c9730b00a9e78be93a9ce6277d6a334b362848a0af81e20dcd17b3e1
420d620f16a81181687a02b9eb751bc64e84ef6d23cb4b4f67ed117e301a33f7
4371b14d85369b8db7326aaea4126e973ed350e36081ff7b704cee2519622d2b
65d2f8603fd6b0b57eef0c044e529e9427ab8cf1bfb376126801602dd930e6d8
9a01475ca13b322e201b413a00de8d39f0875300d053c1a2816fbb011ccf601b
3a50b9ad9a99aab8873c9840096a10f84ee0d45cbb412b136472123357e174fc
5f7c26c699d8cbe8a2d1cd681e6cf26bd67fa4534954d8191340c2bfc67eeb1a
eb89291c737f05c2b6bd862d9e83ab5a1cb5bc2333a65b1a95816010e59d50a7
bc9ce83b1e607007655474734baf77cee4656d106c4a35eaa248fc6c3d5bdc84
c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd
391198d3935b0fc119dcee55c961c929100f0ba262179936193f2cb6a7bff2a9
4d6fb108f72551faa7bab834b1e94b51e20298f23e27924e26caa352db85d0ad
3b37eca270aabae747ba43e0e5775b697b2fbb5000901cd91f4e75d49c0f39cc
91da85daf6df1f2a381493425471c65c1caf622791472ee7e1e7d551d4d611d8
67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233
014561f5e1b52a96e720c462d57dc4fe2b323183b51ee8488804ffd9afb652ff
dbd265d75c4a65cc8404e7ab1fe732bbba65ae3674b850ef522f881995d01df9
bbf666b7359b580386dbc053fef5d6016abaee6a3dce4a41d3c3658906d37093
e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71
85c2598e001bf2c44ff55fbc16b1a9422a69dceac7a689ab7c2d162dc4b6d3fa
844b5b76938e178a82f8c18d5600f389ee4da147c66b379dbc5cb8587d11e5ab
331d87baea2d774655c8ab932059f2797aca0e5fb21c8a3d3249ed4091f6e814
22f65486ce4ad040f9985202d9306069315f0db3b4c66e630e358d3e8275178c
66c75ea2b79268b20feb4fe49237bd678f8d4699b1262a72fbdd998e93cf78f2
b69a31a72a81ffe49bb766c3fce6433364ce48057178ec10335ad711614749ce
51026f35b528d59a5c092d4d7f91265a343694f66561cb2d40be5c2f5786647f
edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706
9c63b1ba6018935ad5e5fbb92f79d2bbd6eeb9ee0520ed5cbe7b9e1213eb33a6
6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119
b80994c84ab2d77a9217cac68493a02fe8a4f4c958b719870fe3c620c629a324
7efabae1256341635e7e00c51bab7de8f263e8e3b2028c47f10150f013fae36f
dda511575fe2d4e8cc7e7dfbf500a529cbd2a5acc24299b8217d603401322c2f
9b8eaf5abe3895a4b2c1fc0b201d53aaf14601b074012f2332aad586416a68df
755b6a534ecd54fe181f1ec9de55ba3fba4d9177430ed1586a6ecc6183812e41
53858267b0dd3642b80b982085010132190663745defa24f8a3ab5af50a7ee19
2da119cc10d621867102cd001934851d82473795e87e9668505881e967e884a9
ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e
dcd2a5b97363a87cd563cdbd931d40d64d01383b881212fc3e8b2d55b9954229
d7f3b6b824d340249b478a64b3863037b9c82150efd634a3932653017ec1b016
b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5
9a6e786228c82b2af9e12b96d60f6240cf21569f7a7eb93d65384eecfd245712
9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b
8468f46bfbde3077ec27b4d06b0b5617a8dec77c7537ca26f5b248d5def7dad1
ad571c975f3f4f1ec269c511b83485d1bd9cd24d6ae0ad540d2a2b6236c3b35a
e58b948e947e7b6ee34bece8810f0b4fde7b67a30e2aca4e73fd03d265e5f95d
c31444e40e769e85928d6edddca4f99d050d2b5c1001c594143cd7869ef5fe40
afa70bcf383e33af9cbc128ccd361170f3a0ea3cd99315128edb8e1a80aad23a
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc
b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296
b88cce7b24a1509f46b31f92ac6db08ed9c004825939f2b1b272c8a203ff655f
dcdcdf60672f6102fdec2f2a313fd13aeb97e268d62cc5ae4d95e6a1964f357f
a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49
f622870212115bf828ff64c1cd63083f1e63456d7070f35cabdaf5377d3b3780
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b
f47fb04ed8077b20b9ca93eddc8ce4a4f05ca4367177fba67c1d87d2831d1865
f7af421884d41f4153ff5e47dd43c0f65c1e9f04738fc47fc92d2bbbf82a621c
ac6f84c3df0c8925dd72add89397dcedaa1d0afe1dca8c120f229a0ce75849d9
517148773372b40d384d24364c021a9939501dcab41657c19895db52af8430e5
34898928c7f591a9d4ff99b2472a8390e5d76e6b5f4013e515c4196497974a15
92f38f683f1ce2406e65f4aa06801039183a42588c22d59ea802f7ec6dd6cbfb
3838b3748057b6afbf57524ac258eb631442870eb9a4f793ee1cc70a0e8bddff
9cfe5dbed005e457c16e556f5ecc2100a90a9bb0d52870edebf872adc8751177
d4f73b6b7f0c2be33fafbbb8e42ad7551c5356dab22c20676724a9d592eafefe
9b8c90e5119853c1a09f31a773e2d4af151c78174c78b14eac6377c7562f7735
4464eac337f79d47d791c202d2a12935d7f6df0e9e6cb7628368f48945eaf8dd
877563233900e9aac594180be7efb346dd5e86711ed295c0e332bb5d8ba5b063
b3141a11f243272416102012de8db2eefc028f7e70b957426bd40cb4210cac15
e083c06f929e43d9cd59a21e5cb751f2c8c951de8b797979234acde6424a94df
2c860d3263d6ae7ae0f8fb959b7e40c40dbaa8b430d9fa35d8373f35b8e7ae35
SH256 hash:
c39b9c197b6d5a7890ffff9c7053c3a629f0353fdeefaa91e3b95a3c7723e74d
MD5 hash:
dd10265b03a0edbebce82eb01606c63f
SHA1 hash:
79ccb851300c1726eaa3c2384188918b3473e480
Link:
https://www.unpac.me/results/39c7e46d-ce00-449b-afda-76581b5c1efa/
SH256 hash:
8f86cc3a7d78f19a1860afb41200608f798bbbf00d70709ad383eb52ff40bac7
MD5 hash:
8f13deb8ad3428d4838dcf4d0ba4c6c8
SHA1 hash:
fbaf1e50480cfc58212f4907869a649f09933753
Link:
https://www.unpac.me/results/39c7e46d-ce00-449b-afda-76581b5c1efa/
SH256 hash:
8272b375c8d39050ae9fb5a30d63077007e05f8fba4fd4b1204c077339991fc9
MD5 hash:
79f85d1d545948f8a770abfcde90e0bd
SHA1 hash:
0bc996e973141a2101b49a8abf6f5c1801db34c2
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/39c7e46d-ce00-449b-afda-76581b5c1efa/
Parent samples :
9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b
b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296
SH256 hash:
8b396f1fd91355aeb308a7c1da75cd4cc9ad402dc09b6730d0ba0869be25b455
MD5 hash:
408684959c04d267edb4d4d8fb8219dd
SHA1 hash:
5d13b62c4def7a9102f273888e49c2e5e5c3c984
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/39c7e46d-ce00-449b-afda-76581b5c1efa/
Parent samples :
9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b
SH256 hash:
9b9a2112f023d40e7271869007a549ad5daf2b1b2cf11baa4df9be6835ab5d0b
MD5 hash:
ac95ae06dc1933e0a8b1f89d9b71146c
SHA1 hash:
25a93d773872dfccb38d94d63ce5fcbbb379deeb
Link:
https://www.unpac.me/results/39c7e46d-ce00-449b-afda-76581b5c1efa/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b9a2112f023/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/418533/

Comments