MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cdcbc2bfa8b91de9a8effecf950f885daf599ade610fd97159caa64001f1dea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cdcbc2bfa8b91de9a8effecf950f885daf599ade610fd97159caa64001f1dea
SHA3-384 hash: 158acb5fc501c3cbf6d4744cb01e16cf2daf47a44ea1da76af8712e23dc4ffdcca8a2c7c977a58217616e03b539d122b
SHA1 hash: e27cab86b984d23238b2afa844fc155023e4472a
MD5 hash: cef4518b05614af64f652560d9c43769
humanhash: utah-stairway-may-pip
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:369'664 bytes
First seen:2022-11-02 11:46:17 UTC
Last seen:2022-11-02 14:13:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d675596ca8e40a75b4d427a316299a8 (17 x Smoke Loader, 10 x RedLineStealer, 9 x Amadey)
ssdeep 6144:k8rRjspzs3oen8T5PWCW6X+mIM45TNt7ITsq:k8hsp0d8lOCW6OrHxt7
Threatray 16'724 similar samples on MalwareBazaar
TLSH T1E074D0D17490C0B2C0827D74CD64CBA06B7AB932E53949473B74EA6E9F307D2A67631B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from http://77.73.134.247/roma/final.exe

Intelligence

File Origin
# of uploads :
20
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-02 11:47:58 UTC
Tags:
trojan amadey loader stealer
Link:
https://app.any.run/tasks/54cc56dc-e3da-4264-9c29-76fc262683f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/327130/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.3888.13505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a file
Creating a window
Sending an HTTP POST request
Delayed reading of the file
Searching for the window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/636258b758409ff7bc0c89ce/reports/2d561053-eb91-4e00-a7f2-932fd9a9cc5c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26e7d7a4-a873-431d-a20c-6922c0c53ad9
Result
Threat name:
Amadey, AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103213
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses powershell cmdlets to delay payload execution
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected AsyncRAT
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735876 Sample: file.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 138 Snort IDS alert for network traffic 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 Antivirus detection for URL or domain 2->142 144 11 other signatures 2->144 12 file.exe 4 2->12         started        16 senseperformance.exe 2->16         started        19 senseperformance.exe 3 2->19         started        21 4 other processes 2->21 process3 dnsIp4 104 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 12->104 dropped 106 C:\Users\user\...\rovwer.exe:Zone.Identifier, ASCII 12->106 dropped 178 Detected unpacking (changes PE section rights) 12->178 180 Detected unpacking (overwrites its own PE header) 12->180 182 Contains functionality to inject code into remote processes 12->182 23 rovwer.exe 1 24 12->23         started        110 iesvillavieja.es 16->110 184 Encrypted powershell cmdline option found 16->184 186 Uses powershell cmdlets to delay payload execution 16->186 188 Injects a PE file into a foreign processes 16->188 28 senseperformance.exe 16->28         started        30 powershell.exe 16->30         started        112 iesvillavieja.es 19->112 32 powershell.exe 19->32         started        34 senseperformance.exe 19->34         started        114 iesvillavieja.es 21->114 116 iesvillavieja.es 21->116 118 iesvillavieja.es 21->118 36 powershell.exe 21->36         started        38 powershell.exe 21->38         started        file5 signatures6 process7 dnsIp8 120 31.41.244.15, 49709, 49710, 80 AEROEXPRESS-ASRU Russian Federation 23->120 122 github.com 140.82.121.4, 443, 49711, 49712 GITHUBUS United States 23->122 124 raw.githubusercontent.com 185.199.110.133 FASTLYUS Netherlands 23->124 94 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 23->94 dropped 96 C:\Users\user\...\senseperformance.exe, PE32 23->96 dropped 98 C:\Users\user\...\senseperformance[1].exe, PE32 23->98 dropped 100 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 23->100 dropped 146 Multi AV Scanner detection for dropped file 23->146 148 Detected unpacking (changes PE section rights) 23->148 150 Detected unpacking (overwrites its own PE header) 23->150 154 3 other signatures 23->154 40 senseperformance.exe 15 5 23->40         started        45 rundll32.exe 23->45         started        47 schtasks.exe 1 23->47         started        126 46.3.199.101 ALEXHOST_SRLMD Russian Federation 28->126 152 Creates multiple autostart registry keys 28->152 49 conhost.exe 30->49         started        51 conhost.exe 32->51         started        53 conhost.exe 36->53         started        55 conhost.exe 38->55         started        file9 signatures10 process11 dnsIp12 128 iesvillavieja.es 185.66.41.139 CDMONsistemescdmoncomES Spain 40->128 130 192.168.2.1 unknown unknown 40->130 102 C:\...\Mwzobrlsvwimproveoutsourcing_2s.exe, PE32 40->102 dropped 156 Machine Learning detection for dropped file 40->156 158 Encrypted powershell cmdline option found 40->158 160 Uses powershell cmdlets to delay payload execution 40->160 57 Mwzobrlsvwimproveoutsourcing_2s.exe 40->57         started        61 senseperformance.exe 40->61         started        64 powershell.exe 40->64         started        132 192.168.2.6, 443, 49701, 49707 unknown unknown 45->132 162 System process connects to network (likely due to code injection or exploit) 45->162 164 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->164 166 Tries to steal Instant Messenger accounts or passwords 45->166 168 2 other signatures 45->168 66 conhost.exe 47->66         started        file13 signatures14 process15 dnsIp16 134 iesvillavieja.es 57->134 170 Machine Learning detection for dropped file 57->170 172 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 57->172 174 Encrypted powershell cmdline option found 57->174 176 Uses powershell cmdlets to delay payload execution 57->176 68 powershell.exe 57->68         started        108 C:\Users\...\Microsoft Security Shell.exe, PE32 61->108 dropped 70 cmd.exe 61->70         started        72 cmd.exe 61->72         started        74 conhost.exe 64->74         started        file17 signatures18 process19 process20 76 conhost.exe 68->76         started        78 Microsoft Security Shell.exe 70->78         started        82 conhost.exe 70->82         started        84 timeout.exe 70->84         started        86 conhost.exe 72->86         started        88 schtasks.exe 72->88         started        dnsIp21 136 iesvillavieja.es 78->136 190 Encrypted powershell cmdline option found 78->190 192 Uses powershell cmdlets to delay payload execution 78->192 90 powershell.exe 78->90         started        signatures22 process23 process24 92 conhost.exe 90->92         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cdcbc2bfa8b91de9a8effecf950f885daf599ade610fd97159caa64001f1dea/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 11:47:07 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttolyk72roi55guo77wpsuhyqxnplgnn4yip3fyvtsvgiaa7dxva._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
23941746340e89fb699e4ecec106fbfd40186fc5b483bf72d82d5d5a2706863f
Amadey
2ac301ae03c6043ffd1c46b04a64af067502b599c6bc064190e086ad7f99f2f4
Amadey
38f04820d11d14a63b75ecf5d8313c2c4fc039563d4ceeb7c6a4ca557d9fab33
Amadey
5bd1b196eb5a0508cebd377d2792dc115030837ff86bd60dd8b98ac9b8138dd5
Amadey
68fa24f693d9b5955eb2a34a6fbbd3ac7b9e4e8efa53b17b6a94ddd01baab2fe
Amadey
7715c84b2504a1cb0a5cb7f3ac93f838ee1b30acd915d45f4b16549b0c55dad2
Amadey
99735bf17537e921b53f4b4f2aada8fecbf1d0627ce3139b878151d9fe3f4b9f
Amadey
b2cb01768dbbcaee4de2957e7f60bbc9b801f4f821224f89ef87948fd7c14bd4
Amadey
+ 16'714 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey collection spyware stealer trojan
Link:
https://tria.ge/reports/221102-nxvrdsbfa5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Executes dropped EXE
Amadey
Detect Amadey credential stealer module
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/091ce192-4a7a-4ce9-8d8d-19bbd6c997c0
Unpacked files
SH256 hash:
593505e03743f43ae5b3d0ed815fc0416f55b5bed2ac1bbf13f95f6214a2fc9a
MD5 hash:
192e88e390afbdafb38d4273d5031deb
SHA1 hash:
8a9b778f7142c65d99aad99cc3753b8ec95919fc
Link:
https://www.unpac.me/results/91229e94-c77f-401b-80d9-a9945bc9c22b/
SH256 hash:
9cdcbc2bfa8b91de9a8effecf950f885daf599ade610fd97159caa64001f1dea
MD5 hash:
cef4518b05614af64f652560d9c43769
SHA1 hash:
e27cab86b984d23238b2afa844fc155023e4472a
Link:
https://www.unpac.me/results/91229e94-c77f-401b-80d9-a9945bc9c22b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9cdcbc2bfa8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cdcbc2bfa8b91de9a8effecf950f885daf599ade610fd97159caa64001f1dea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/327130/
  
URLhaus
https://urlhaus.abuse.ch/url/2390506/

Comments