MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
SHA3-384 hash: 0781d7c0d6550c06b52672ea04806bd7c717e9827288d33e14b9ad89a318e8ed44775d566a18512094307b2c9542cf36
SHA1 hash: 0fe5061a1a4aa43d2ba13e954813746cef08292a
MD5 hash: b9a582f60e89571526c4a6dacbb6a576
humanhash: arkansas-violet-oranges-tennis
File name:b9a582f60e89571526c4a6dacbb6a576.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'858'560 bytes
First seen:2024-04-15 05:30:37 UTC
Last seen:2024-04-15 06:34:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:eTVytZvQtZCv34v946oF0E0TPBtjQk0xyCf:YV25i9JxptjQk0xP
TLSH T14A85330C7CE3D19DE51A5976E78BEE6EED8931486D911228249F03A1FA3C32BD65603C
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f.exe
Verdict:
Malicious activity
Analysis date:
2024-04-15 05:44:59 UTC
Tags:
amadey botnet stealer lumma loader redline opendir gcleaner stealc evasion risepro privateloader
Link:
https://app.any.run/tasks/868dcbd9-3fa6-4457-bc47-74c8e6c3c844

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Launching the process to change network settings
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/661cbb9e08ebdfcacd05fd05/reports/aa52af22-1ab8-434e-81bb-db79f495804d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab29cf21-6ce0-4a11-be0e-38000d4c99c0
Result
Threat name:
LummaC, Amadey, LummaC Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1425954
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the System eventlog
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1425954 Sample: bUWKfj04aU.exe Startdate: 15/04/2024 Architecture: WINDOWS Score: 100 173 Found malware configuration 2->173 175 Malicious sample detected (through community Yara rule) 2->175 177 Antivirus detection for dropped file 2->177 179 22 other signatures 2->179 9 explorgu.exe 1 48 2->9         started        14 bUWKfj04aU.exe 5 2->14         started        16 svchost.exe 2->16         started        18 NewB.exe 2->18         started        process3 dnsIp4 149 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 9->149 151 185.172.128.19 NADYMSS-ASRU Russian Federation 9->151 157 3 other IPs or domains 9->157 121 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 9->121 dropped 123 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 9->123 dropped 125 C:\Users\user\AppData\Local\...\DocuWorks.exe, PE32+ 9->125 dropped 129 21 other malicious files 9->129 dropped 249 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->249 251 Tries to evade debugger and weak emulator (self modifying code) 9->251 253 Hides threads from debuggers 9->253 263 2 other signatures 9->263 20 file300un.exe 9->20         started        23 NewB.exe 9->23         started        27 alexxxxxxxx.exe 9->27         started        29 7 other processes 9->29 127 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 14->127 dropped 255 Detected unpacking (changes PE section rights) 14->255 257 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->257 259 Tries to detect virtualization through RDTSC time measurements 14->259 261 Potentially malicious time measurement code found 14->261 153 23.62.134.148 AKAMAI-ASUS United States 16->153 155 127.0.0.1 unknown unknown 16->155 file5 signatures6 process7 dnsIp8 207 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->207 209 Writes to foreign memory regions 20->209 211 Allocates memory in foreign processes 20->211 213 Sample uses process hollowing technique 20->213 31 MSBuild.exe 20->31         started        46 2 other processes 20->46 141 185.172.128.59 NADYMSS-ASRU Russian Federation 23->141 143 104.21.92.190 CLOUDFLARENETUS United States 23->143 145 172.67.187.204 CLOUDFLARENETUS United States 23->145 113 C:\Users\user\AppData\Local\...\Uni400uni.exe, PE32+ 23->113 dropped 115 C:\Users\user\AppData\Local\...\FirstZ.exe, PE32+ 23->115 dropped 117 C:\Users\user\AppData\Local\...\ISetup8.exe, PE32 23->117 dropped 119 5 other malicious files 23->119 dropped 215 Creates an undocumented autostart registry key 23->215 217 Uses schtasks.exe or at.exe to add and modify task schedules 23->217 35 Uni400uni.exe 23->35         started        48 4 other processes 23->48 219 Contains functionality to inject code into remote processes 27->219 221 Injects a PE file into a foreign processes 27->221 38 RegAsm.exe 27->38         started        40 conhost.exe 27->40         started        147 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 29->147 223 System process connects to network (likely due to code injection or exploit) 29->223 225 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->225 227 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->227 229 5 other signatures 29->229 42 rundll32.exe 19 29->42         started        44 RegAsm.exe 29->44         started        50 4 other processes 29->50 file9 signatures10 process11 dnsIp12 159 104.21.79.77 CLOUDFLARENETUS United States 31->159 161 172.67.34.170 CLOUDFLARENETUS United States 31->161 85 C:\Users\...\zkP3dJByFmLvW6zaaFPB4q1s.exe, PE32 31->85 dropped 87 C:\Users\...\yhDNs5CKgcvWpHQdXrg6et6I.exe, PE32+ 31->87 dropped 89 C:\Users\...\uuRE7gXsEM4RR1NoZUBwtrlp.exe, PE32 31->89 dropped 101 73 other malicious files 31->101 dropped 181 Writes to foreign memory regions 35->181 183 Allocates memory in foreign processes 35->183 185 Sample uses process hollowing technique 35->185 187 Injects a PE file into a foreign processes 35->187 52 MSBuild.exe 35->52         started        57 WerFault.exe 35->57         started        71 2 other processes 35->71 91 C:\Users\user\AppData\Roaming\...\propro.exe, PE32 38->91 dropped 93 C:\Users\user\AppData\Roaming\...\Traffic.exe, PE32 38->93 dropped 59 propro.exe 38->59         started        61 Traffic.exe 38->61         started        189 Tries to steal Instant Messenger accounts or passwords 42->189 191 Uses netsh to modify the Windows network and firewall settings 42->191 193 Tries to harvest and steal ftp login credentials 42->193 195 Tries to harvest and steal WLAN passwords 42->195 63 powershell.exe 26 42->63         started        65 netsh.exe 2 42->65         started        163 104.21.47.60 CLOUDFLARENETUS United States 44->163 197 Query firmware table information (likely to detect VMs) 44->197 199 Found many strings related to Crypto-Wallets (likely being stolen) 44->199 201 Tries to harvest and steal browser information (history, passwords, etc) 44->201 165 185.172.128.228 NADYMSS-ASRU Russian Federation 48->165 167 185.172.128.90 NADYMSS-ASRU Russian Federation 48->167 95 C:\Users\user\AppData\Local\Temp\u5ps.1.exe, PE32 48->95 dropped 97 C:\Users\user\AppData\Local\Temp\u5ps.0.exe, PE32 48->97 dropped 99 C:\ProgramData\...\reakuqnanrkn.exe, PE32+ 48->99 dropped 203 Adds a directory exclusion to Windows Defender 48->203 67 conhost.exe 48->67         started        69 powershell.exe 48->69         started        169 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->169 171 172.67.181.34 CLOUDFLARENETUS United States 50->171 205 Tries to steal Crypto Currency Wallets 50->205 file13 signatures14 process15 dnsIp16 131 107.167.110.211 OPERASOFTWAREUS United States 52->131 133 193.233.132.175 FREE-NET-ASFREEnetEU Russian Federation 52->133 139 8 other IPs or domains 52->139 103 C:\Users\...\wZuV3PgWQZH6WkVb85MHgKez.exe, MS-DOS 52->103 dropped 105 C:\Users\...\tLniRa1wNfVBc8wtGlFeZuV5.exe, PE32 52->105 dropped 107 C:\Users\...\sx0rXq9mQR9aeLWBWHbPdr14.exe, PE32 52->107 dropped 111 49 other malicious files 52->111 dropped 231 Creates HTML files with .exe extension (expired dropper behavior) 52->231 135 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->135 137 185.172.128.33 NADYMSS-ASRU Russian Federation 59->137 233 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->233 235 Installs new ROOT certificates 59->235 237 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 59->237 239 Tries to steal Crypto Currency Wallets 59->239 241 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 61->241 243 Reads the System eventlog 61->243 73 conhost.exe 61->73         started        109 C:\Users\user\...\246122658369_Desktop.zip, Zip 63->109 dropped 245 Found many strings related to Crypto-Wallets (likely being stolen) 63->245 247 Loading BitLocker PowerShell Module 63->247 75 conhost.exe 63->75         started        77 conhost.exe 65->77         started        79 WerFault.exe 67->79         started        81 WerFault.exe 67->81         started        83 conhost.exe 69->83         started        file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2024-04-15 00:28:16 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uasuti2dweajjhabh4oijetrg3umr5xcgeik4hiclslthvnnoexq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:risepro family:stealc family:xmrig family:zgrat botnet:@oleh_psp discovery evasion infostealer miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/240415-f7qanafg88/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
RisePro
Stealc
ZGRat
xmrig
Malware Config
C2 Extraction:
http://185.215.113.32
185.172.128.33:8970
http://52.143.157.84
147.45.47.93:58709
https://economicscreateojsu.shop/api
https://entitlementappwo.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://affordcharmcropwo.shop/api
https://bordersoarmanusjuw.shop/api
https://cleartotalfisherwo.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
https://democraticseekysiwo.shop/api
Unpacked files
SH256 hash:
95853a671c69b60fae7d486f5fcb6f8e3777fbc5b6b4abee27eb9ad5f0746157
MD5 hash:
7635ea39ef8038d0e04bfac21e2bf96b
SHA1 hash:
5a2d29b42cb5e394a4405a21f7440ac6592eb365
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/5c0b414c-f97a-42ab-bb84-b37e2d7f95db/
SH256 hash:
a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f
MD5 hash:
b9a582f60e89571526c4a6dacbb6a576
SHA1 hash:
0fe5061a1a4aa43d2ba13e954813746cef08292a
Link:
https://www.unpac.me/results/5c0b414c-f97a-42ab-bb84-b37e2d7f95db/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a02549a343b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a02549a343b100949c013f1c84927136e8c8f6e23110ae1d025c9733d5ad712f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/
  
URLhaus
https://urlhaus.abuse.ch/url/2759927/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments