MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558
SHA3-384 hash:	ea13b27652d1ef5db6eafcd604d8093277d8942ae9b32bb9b568b396334a0bdf3bb0882e4be12b2d3a4e914ff34736f2
SHA1 hash:	1cc2189c2b8d5d8cfe1cbe520770ac523612b792
MD5 hash:	7c5f0fb436e189ad3e8c2074f9f1cc24
humanhash:	glucose-spaghetti-failed-undress
File name:	7C5F0FB436E189AD3E8C2074F9F1CC24.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'798'224 bytes
First seen:	2023-07-11 23:40:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3754dda33dc080f071676ed9f441f28d (1 x Amadey)
ssdeep	12288:hsmqGF1MtAY8J0awXVF005vhTlqIKJh7x/iib25QPHUtd:hz/LpY8KawX0YvZsx/iib2Ew
Threatray	434 similar samples on MalwareBazaar
TLSH	T18485285D51B000B2E7E22D3BAA66AB5408B17DCC9B1777F5179C0BC83BE4348A3F9196
TrID	35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 32.8% (.SCR) Windows screen saver (13097/50/3) 11.2% (.EXE) Win32 Executable (generic) (4505/5/1) 5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	abuse_ch
Tags:	Amadey exe signed

Code Signing Certificate

Organisation:	KATEN LLC
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-05-11T07:02:53Z
Valid to:	2024-05-11T07:02:53Z
Serial number:	2852d9449ede257b7514dd98
Thumbprint Algorithm:	SHA256
Thumbprint:	f012585d4b977e6d51824f9f8e390c43f4659d115f74035622b662490b8c1e26
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Amadey C2:
http://getupdate.click/8bmeVwqx/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

397

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

7C5F0FB436E189AD3E8C2074F9F1CC24.exe

Verdict:

Malicious activity

Analysis date:

2023-07-11 23:42:17 UTC

Tags:

amadey trojan loader

Link:

https://app.any.run/tasks/22fdef04-fcac-4ee0-ae51-42c8d30959f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/416172/

Detection(s):

SecuriteInfo.com.Variant.Tedy.394657.22736.21425.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Launching cmd.exe command interpreter

Creating a file

DNS request

Sending an HTTP POST request

Delayed reading of the file

Adding an access-denied ACE

Launching the default Windows debugger (dwwin.exe)

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/97184/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control keylogger lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64ade88e730800029d38b138/reports/63f0be76-bde4-41e9-9205-033a6e0ef6d7/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20ce67e0-97c8-44d5-9b57-618f2db4484e

Result

Threat name:

Amadey

Detection:

malicious

Classification:

spyw.evad

Score:

78 / 100

Link:

https://www.joesandbox.com/analysis/1271309

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Yara detected Amadeys stealer DLL

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-07-09 15:35:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uhb2vn54myp64kq3hxvar6bh4f45bgi2lbby57umizgsf6oxgvma._file

Verdict:

malicious

Amadey

28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681

Amadey

2d46060078a180d844d5c466209b357fecab66cf3bbd01f81222bcb5cc08906f

Amadey

5339db49221a69b2723c19804390ed986019b07b064f370bf5317962c235cccf

Amadey

589598f28559e972e9cfe2b17798a77c91d90dfc4c6abcbec2ce2f84cd972216

Amadey

77348361e60bd2f12aeb1d0928a38b8745de7e93069cfc7a9361a11f1c87d62a

Amadey

956ad9b8b0f3fe9a83d875f0b90b3c6fc72e3b670549de683de44b70f0a090c8

Amadey

+ 424 additional samples on MalwareBazaar

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey spyware stealer trojan

Link:

https://tria.ge/reports/230711-3pd61aba99/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Program crash

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Amadey

Malware Config

C2 Extraction:

getupdate.click/8bmeVwqx/index.php
getupdate2.click /8bmeVwqx/index.php
getupdate3.click/8bmeVwqx/index.php

Unpacked files

SH256 hash:

4fe6c2a1aca26a493d7e040739ba4843c684cb61d1602270cc2e451a52fd80e5

MD5 hash:

564a488abd51643b77195be9fb425847

SHA1 hash:

a64d68f7478bc4eec14a5209576052ff09c8dbc2

Detections:

Amadey

Link:

https://www.unpac.me/results/5b0bbb67-a738-45b7-a252-12eb26acfeb0/

SH256 hash:

a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558

MD5 hash:

7c5f0fb436e189ad3e8c2074f9f1cc24

SHA1 hash:

1cc2189c2b8d5d8cfe1cbe520770ac523612b792

Link:

https://www.unpac.me/results/5b0bbb67-a738-45b7-a252-12eb26acfeb0/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a1c3aab7bc66/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	win_amadey_a9f4 Create hunting rule
Author:	Johannes Bader
Description:	matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/416172/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample