MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63
SHA3-384 hash: 176cff729accc3bfd179f3b43040d446aef02953841a0a265b26471da38b4cfcc0ed81780f99d39d2e453c68fb9e3a8d
SHA1 hash: 06ad06e208965913a03307439e68f1168027fb89
MD5 hash: 744e8a3718a8bccb6c0bfe243c7ac195
humanhash: leopard-cola-nine-alpha
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'017'216 bytes
First seen:2024-12-20 01:08:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:DUEL8aWXxxR4zmtHbaTpanQ6A3tOhbDgF5yx3G9RGpelk1+a:DUE4aWXfR4CtHbaTpanQV3UVgF5W3BE
Threatray 4 similar samples on MalwareBazaar
TLSH T113D53BB1B509B1CFD4CA2674852BCDC2695D03B94720C8C39EAEA4BA7E77CC11DB6C64
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
597
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-20 01:10:43 UTC
Tags:
amadey botnet stealer loader lumma cryptbot stealc github telegram auto coinminer gcleaner themida
Link:
https://app.any.run/tasks/05d3e7aa-9787-41a5-a5dc-74499f4987e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.19911.19892.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6764c3b375bf3268d2fd22fc
Tags:
shellcode autorun spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6764c3af103c07c16375f025/reports/c4e10b43-d5ba-4c4f-8c20-6726455bb086/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bb0598e0-dcfa-44e0-86fd-9977f2af94d4
Result
Threat name:
LummaC, Amadey, Cryptbot, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1578660
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Leaks process information
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Cryptbot
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578660 Sample: file.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 57 treehoneyi.click 2->57 59 rapeflowwj.lat 2->59 61 8 other IPs or domains 2->61 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Antivirus detection for dropped file 2->95 97 15 other signatures 2->97 9 skotes.exe 33 2->9         started        14 file.exe 5 2->14         started        16 skotes.exe 2->16         started        signatures3 process4 dnsIp5 79 185.215.113.43, 49817, 49825, 49850 WHOLESALECONNECTIONSNL Portugal 9->79 81 185.215.113.16, 49831, 49923, 80 WHOLESALECONNECTIONSNL Portugal 9->81 83 31.41.244.11, 49855, 49875, 49917 AEROEXPRESS-ASRU Russian Federation 9->83 45 C:\Users\user\AppData\...\6454cda0dd.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\ef4aa82a7c.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\...\ba94e3db0d.exe, PE32 9->49 dropped 55 9 other malicious files 9->55 dropped 133 Hides threads from debuggers 9->133 135 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->135 137 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->137 18 ba94e3db0d.exe 9->18         started        22 f2de4e119f.exe 12 9->22         started        24 ef4aa82a7c.exe 9->24         started        28 3 other processes 9->28 51 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->51 dropped 53 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->53 dropped 139 Detected unpacking (changes PE section rights) 14->139 141 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->141 143 Tries to evade debugger and weak emulator (self modifying code) 14->143 145 Tries to detect virtualization through RDTSC time measurements 14->145 26 skotes.exe 14->26         started        147 Antivirus detection for dropped file 16->147 149 Multi AV Scanner detection for dropped file 16->149 151 Machine Learning detection for dropped file 16->151 file6 signatures7 process8 dnsIp9 63 treehoneyi.click 104.21.91.209 CLOUDFLARENETUS United States 18->63 99 Antivirus detection for dropped file 18->99 101 Multi AV Scanner detection for dropped file 18->101 103 Detected unpacking (changes PE section rights) 18->103 119 2 other signatures 18->119 65 grannyejh.lat 172.67.179.109, 443, 49853, 49860 CLOUDFLARENETUS United States 22->65 105 Query firmware table information (likely to detect VMs) 22->105 107 Machine Learning detection for dropped file 22->107 109 Found many strings related to Crypto-Wallets (likely being stolen) 22->109 30 chrome.exe 22->30         started        33 chrome.exe 22->33         started        111 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->111 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->113 115 Tries to evade debugger and weak emulator (self modifying code) 24->115 117 Hides threads from debuggers 26->117 121 2 other signatures 26->121 67 twentytk20pn.top 147.45.113.159, 49929, 80 FREE-NET-ASFREEnetEU Russian Federation 28->67 69 httpbin.org 34.226.108.155, 443, 49913 AMAZON-AESUS United States 28->69 71 home.twentytk20pn.top 28->71 123 2 other signatures 28->123 35 324fcfa2b3.exe 28->35         started        38 conhost.exe 28->38         started        signatures10 process11 dnsIp12 85 192.168.2.5, 443, 49703, 49817 unknown unknown 30->85 87 239.255.255.250 unknown Reserved 30->87 40 chrome.exe 30->40         started        43 chrome.exe 33->43         started        89 pancakedipyps.click 172.67.209.202, 443, 49876, 49883 CLOUDFLARENETUS United States 35->89 125 Query firmware table information (likely to detect VMs) 35->125 127 Found many strings related to Crypto-Wallets (likely being stolen) 35->127 129 Tries to harvest and steal ftp login credentials 35->129 131 Tries to steal Crypto Currency Wallets 35->131 signatures13 process14 dnsIp15 73 www.google.com 172.217.19.228 GOOGLEUS United States 40->73 75 shed.dual-low.s-part-0035.t-0009.t-msedge.net 40->75 77 4 other IPs or domains 40->77
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-12-20 01:09:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tra2f5y36ugbfqti4yiuo6kma7s2mvsczuvaqi27lxhavugnxrrq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
0abcd4381407833a5724ca388d337f195d935298479a75a56319964bfd2e8acc
Amadey
34959918550ef8a11fe8e0ef9dde5f85f0dac541e62a2cad53998d4a0eb07d9d
Amadey
69f12161bd960117baf9728942be8ae7d34aeac22ffeff912dc8ab227a44229b
Amadey
ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6
Amadey
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:lumma family:vidar family:xworm botnet:9c9aa5 credential_access discovery evasion execution persistence privilege_escalation rat spyware stealer trojan
Link:
https://tria.ge/reports/241220-bhsl9swkfp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Uses browser remote debugging
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
CryptBot
Cryptbot family
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xworm
Xworm family
Malware Config
C2 Extraction:
http://185.215.113.43
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
86.38.225.54:5353
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ebc30aad-8e57-4811-9374-77c2417fc315
Unpacked files
SH256 hash:
e7df6475df03524c903c1b0fe1adc8bbbee29f9084bcac08fb1b5a03354edebc
MD5 hash:
7a99d5c01aa06e686eaa8f53a04bd306
SHA1 hash:
8d048664b897b4700aa8d312273ed6120dc07738
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/d8e8da0e-09e9-42d0-bbc9-731a69351459/
SH256 hash:
9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63
MD5 hash:
744e8a3718a8bccb6c0bfe243c7ac195
SHA1 hash:
06ad06e208965913a03307439e68f1168027fb89
Link:
https://www.unpac.me/results/d8e8da0e-09e9-42d0-bbc9-731a69351459/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c41a2f71bf5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments