MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c620345ba4a3bb0123589babe0d5b11ca7df50b57c0aedd57871ff7c794632f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	9c620345ba4a3bb0123589babe0d5b11ca7df50b57c0aedd57871ff7c794632f
SHA3-384 hash:	2e1dd19bd169a063674577dd6e57912d047844b586854db5adeb23efbb49b3a4212a316f241fd748d02b4e5df051e967
SHA1 hash:	f3fe8a15f6ed15c977b62c0ec8bbeef7900d79e2
MD5 hash:	51d110597dbc4abb9c34606dbc28b4ee
humanhash:	seventeen-victor-pasta-coffee
File name:	51d110597dbc4abb9c34606dbc28b4ee.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	345'088 bytes
First seen:	2021-12-20 15:41:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f9c2e6a1a2085a9fa6c1b7d773af20c4 (1 x Amadey, 1 x Smoke Loader, 1 x RedLineStealer)
ssdeep	6144:4Yo2luz+lTXVjPi9LlKnSp1b6coSDcTZUH:xluUjPiVsnSpddDcVUH
Threatray	6'151 similar samples on MalwareBazaar
TLSH	T124748E10BB90D435F5B712F846B6D2B9BA3E7EE1A72450CF22D42AEA56345E0EC30317
File icon (PE):
dhash icon	25ec1378399b9b91 (23 x RedLineStealer, 13 x Smoke Loader, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
62.182.156.187:56323

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
62.182.156.187:56323	https://threatfox.abuse.ch/ioc/277871/

Intelligence

File Origin

# of uploads :

# of downloads :

409

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/215501/

Detection(s):

Win.Dropper.Tofsee-9916986-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Searching for synchronization primitives

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for analyzing tools

Sending a custom TCP request

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2773/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61c0a44eec6c6c14a9e552ca/reports/3ab218a1-591c-495d-99bc-b9a66bb3d234/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c01cf55d-101a-4aa1-8ae0-f8724967632f

Result

Threat name:

Djvu SmokeLoader

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/910387

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Djvu Ransomware

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c620345ba4a3bb0123589babe0d5b11ca7df50b57c0aedd57871ff7c794632f/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2021-12-20 15:42:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=trragrn2ji53aervrg5l4dk3chfh35ilk7ak5xkxq4p7pr4ummxq._file

Verdict:

malicious

Amadey

387619129ba37b0a3574d3bae80df37ef2213e27ea2a9d903365e226f6ad2c64

Amadey

433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

Amadey

47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b

Amadey

68b90031cf6d8870b5719281dbfd45c97db2b8b0e696ea5f997c8de57b54dd7f

Amadey

c9f18cc71c7a1fa61d43a32dfb858f9aa247324a188f8182981b853266d3b1c7

Amadey

d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed

Amadey

edf105b04e5bd8f534cb569945ecaad365d6366e163627d5652520a0368a52c2

Amadey

f7b5a27355eafa5302a38a1e0adadcb619b6d42e7c1707a784297634a180a66f

Amadey

+ 6'141 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:amadey family:arkei family:redline family:smokeloader family:tofsee family:xmrig botnet:1 botnet:install backdoor collection discovery evasion infostealer miner persistence spyware stealer suricata trojan vmprotect

Link:

https://tria.ge/reports/211220-s5cb8sbgfl/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

VMProtect packed file

Arkei Stealer Payload

XMRig Miner Payload

Amadey

Arkei

RedLine

RedLine Payload

SmokeLoader

Tofsee

Windows security bypass

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

xmrig

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
mubrikych.top
oxxyfix.xyz
86.107.197.138:38133
62.182.156.187:56323
185.215.113.35/d2VxjasuwS/index.php