MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1
SHA3-384 hash: 6f46d1f31fd08500f08063e657da70be9263c737f4cb6b22b26777e4a83adc94de3dab5cc80b1a3967868cb0cf52aa2d
SHA1 hash: 97fe279e6107f0b1b8a6b34073f21b85b71e9a38
MD5 hash: 5c65af376bff0067a2109686755b36db
humanhash: aspen-fanta-zulu-uncle
File name:5c65af376bff0067a2109686755b36db.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:241'664 bytes
First seen:2021-08-23 00:05:37 UTC
Last seen:2021-08-23 01:06:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0651d9dcd3efcdffaff927d730c581e7 (3 x Amadey, 2 x RaccoonStealer, 2 x RedLineStealer)
ssdeep 6144:Ifs8yKSn4A/vLPxXdB982jKD0zldXDNXH:shSXHLPxD982Og5dTF
Threatray 1'235 similar samples on MalwareBazaar
TLSH T11C348D20B7A0C035F5F712F455BA83B8B9297AB0AB3450CF62D516EE56386E8DC31397
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://trustmanager.ug/k8FppT/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://trustmanager.ug/k8FppT/index.php https://threatfox.abuse.ch/ioc/192633/

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://americasbestmanassas.com/uploads/files/54635862324.pdf
Verdict:
Malicious activity
Analysis date:
2021-08-22 23:44:12 UTC
Tags:
evasion opendir loader trojan rat redline stealer vidar raccoon
Link:
https://app.any.run/tasks/c531407b-5565-4277-912b-0197460f4f0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181317/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.2354.31272.24196.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32fda35d-ab0d-4dd9-9f5a-9721fe48d8a3
Result
Threat name:
Amadey RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837184
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469615 Sample: xuTyOmef1g.exe Startdate: 23/08/2021 Architecture: WINDOWS Score: 100 86 xmr.2miners.com 2->86 88 waskitaprecast.co.id 2->88 90 9 other IPs or domains 2->90 116 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->116 118 Multi AV Scanner detection for domain / URL 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 10 other signatures 2->122 11 xuTyOmef1g.exe 2->11         started        14 uwtjrji 2->14         started        16 svchost.exe 2->16         started        18 12 other processes 2->18 signatures3 process4 dnsIp5 142 Detected unpacking (changes PE section rights) 11->142 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->144 146 Maps a DLL or memory area into another process 11->146 148 Creates a thread in another existing process (thread injection) 11->148 21 explorer.exe 5 11->21 injected 150 Multi AV Scanner detection for dropped file 14->150 152 Machine Learning detection for dropped file 14->152 154 Checks if the current machine is a virtual machine (disk enumeration) 14->154 156 Changes security center settings (notifications, updates, antivirus, firewall) 16->156 26 MpCmdRun.exe 16->26         started        92 127.0.0.1 unknown unknown 18->92 94 api.ip.sb 18->94 158 System process connects to network (likely due to code injection or exploit) 18->158 signatures6 process7 dnsIp8 96 193.142.59.123, 49715, 49735, 49740 HOSTSLICK-GERMANYNL Netherlands 21->96 98 193.142.59.248, 80 HOSTSLICK-GERMANYNL Netherlands 21->98 100 6 other IPs or domains 21->100 64 C:\Users\user\AppData\Roaming\uwtjrji, PE32 21->64 dropped 66 C:\Users\user\AppData\Local\Temp\4851.exe, PE32 21->66 dropped 68 C:\Users\user\...\uwtjrji:Zone.Identifier, ASCII 21->68 dropped 124 System process connects to network (likely due to code injection or exploit) 21->124 126 Benign windows process drops PE files 21->126 128 Deletes itself after installation 21->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->130 28 F3D5.exe 21->28         started        32 4851.exe 15 26 21->32         started        35 DB3B.exe 14 3 21->35         started        37 conhost.exe 26->37         started        file9 signatures10 process11 dnsIp12 78 C:\Users\user\AppData\Local\...\rnyuf.exe, PE32 28->78 dropped 160 Detected unpacking (changes PE section rights) 28->160 39 rnyuf.exe 28->39         started        80 185.215.113.29, 49731, 8678 WHOLESALECONNECTIONSNL Portugal 32->80 82 api.ip.sb 32->82 162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->162 164 Machine Learning detection for dropped file 32->164 166 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->166 168 Tries to harvest and steal browser information (history, passwords, etc) 32->168 44 conhost.exe 32->44         started        84 188.124.36.242, 25802, 49820 SELECTELRU Russian Federation 35->84 170 Query firmware table information (likely to detect VMs) 35->170 172 Hides threads from debuggers 35->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 35->174 46 conhost.exe 35->46         started        file13 signatures14 process15 dnsIp16 102 185.215.113.206, 49748, 49754, 49767 WHOLESALECONNECTIONSNL Portugal 39->102 104 trustmanager.ug 185.206.180.136, 49750, 49751, 49755 PUBLICLOUDBG Bulgaria 39->104 106 cdn.discordapp.com 162.159.134.233, 443, 49752, 49753 CLOUDFLARENETUS United States 39->106 70 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32 39->70 dropped 72 C:\Users\user\AppData\Local\...xplorer.exe, PE32 39->72 dropped 74 C:\Users\user\AppData\...xplorer[1].exe, PE32 39->74 dropped 76 C:\Users\user\AppData\...\Microsoft[1].exe, PE32 39->76 dropped 132 Detected unpacking (changes PE section rights) 39->132 134 Machine Learning detection for dropped file 39->134 136 Contains functionality to inject code into remote processes 39->136 138 2 other signatures 39->138 48 Microsoft.exe 39->48         started        51 cmd.exe 39->51         started        53 schtasks.exe 39->53         started        file17 signatures18 process19 signatures20 108 Detected unpacking (changes PE section rights) 48->108 110 Query firmware table information (likely to detect VMs) 48->110 112 Tries to detect sandboxes and other dynamic analysis tools (window names) 48->112 114 3 other signatures 48->114 55 conhost.exe 48->55         started        57 reg.exe 51->57         started        60 conhost.exe 51->60         started        62 conhost.exe 53->62         started        process21 signatures22 140 Creates an undocumented autostart registry key 57->140
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 00:06:06 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3f7og7q6kbtin5wdfeowy22ibgv3a27vxatm2omyqz3y3uzktaq._file
Verdict:
suspicious
Similar samples:
06d2ef3f80066d655c788069de3098105f6128e388e43baf73e2d9bf69365ce3
Amadey
1d76266267ca27570b9cfb6f2a84b80ef607e9450d475eabad2e630cfbd77b7e
Amadey
328e682510e9c0e0c37a7c8d347ecb4e7791a03b44962675a3f5f23d85250e08
Amadey
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
Amadey
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
Amadey
5f0caccb3ca599a30b5f298f9bb414fe721121c83b7bedc7c59ffe4128c96b61
Amadey
c5fc8453bf6cdd3e96740b1616ba2f6b359710ce2eb32f02faf8c0e299a0a057
Amadey
c7839db336f11c965ab8e6fbad1a6c757711a24362cc20d63d4ce37aef9b83b1
Amadey
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
Amadey
+ 1'225 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:fd34ae8fb78d0554aa7caf12c271e01efb3342f6 backdoor discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210823-1fwbvf7tje/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/a27ee336-1a49-4de3-80d8-1d108df15782/
SH256 hash:
9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1
MD5 hash:
5c65af376bff0067a2109686755b36db
SHA1 hash:
97fe279e6107f0b1b8a6b34073f21b85b71e9a38
Link:
https://www.unpac.me/results/a27ee336-1a49-4de3-80d8-1d108df15782/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ecbf71bf0f2833437b61948eb635a404d5d835fadc13669ccc433bc6e9954c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181317/

Comments