MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3
SHA3-384 hash: bb65499332c674a7b32773696e8b7a577c8fa27148f38342c5de4a2f47fa54aedfdc79e9ccce9fddedd0ddd3e98bef8e
SHA1 hash: 78bd228d8dbe0b7db0d74f2630adfc051740743f
MD5 hash: 2d0066cc4ed344e8330d9dcb9f8ca385
humanhash: pip-bulldog-november-ceiling
File name:2d0066cc4ed344e8330d9dcb9f8ca385
Download: download sample
Signature Amadey
Create hunting rule
File size:1'953'792 bytes
First seen:2024-03-21 05:46:51 UTC
Last seen:2024-03-21 07:34:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:MNu/lUESYCMCaQnIPxLioxTClIOSnLR0rgg6h18LVH:MiKEZTCaQIZbRCCOgK968J
TLSH T1AB953363846F2AADD0034738D76B4372AECBF78599F5465DABCC0AF50DB73A80493A14
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
406
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3.exe
Verdict:
Malicious activity
Analysis date:
2024-03-21 05:48:48 UTC
Tags:
amadey botnet stealer loader lumma redline opendir stealc risepro smoke smokeloader
Link:
https://app.any.run/tasks/6a956577-37fc-4332-9f4c-4cc7a72181a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5140.15809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Launching the process to change network settings
Connection attempt to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65fbc9d883a3efb188d54045/reports/a0ccba57-b8ea-4bd7-9556-a0b0a901b9ea/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c1d16bca-8a51-4139-a46f-1f9dca10f001
Result
Threat name:
LummaC, Amadey, LummaC Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1412884
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1412884 Sample: 6BxakoD7u9.exe Startdate: 21/03/2024 Architecture: WINDOWS Score: 100 130 Multi AV Scanner detection for domain / URL 2->130 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 25 other signatures 2->136 9 explorgu.exe 2 61 2->9         started        14 MPGPH131.exe 2->14         started        16 MPGPH131.exe 2->16         started        18 10 other processes 2->18 process3 dnsIp4 118 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 9->118 120 91.215.85.131 PINDC-ASRU Russian Federation 9->120 126 3 other IPs or domains 9->126 84 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 9->84 dropped 86 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 9->86 dropped 94 31 other malicious files 9->94 dropped 190 Multi AV Scanner detection for dropped file 9->190 192 Detected unpacking (changes PE section rights) 9->192 194 Creates multiple autostart registry keys 9->194 214 4 other signatures 9->214 20 random.exe 9->20         started        25 amadka.exe 9->25         started        27 osminog.exe 2 9->27         started        33 8 other processes 9->33 96 7 other malicious files 14->96 dropped 196 Tries to steal Mail credentials (via file / registry access) 14->196 198 Machine Learning detection for dropped file 14->198 200 Tries to harvest and steal browser information (history, passwords, etc) 14->200 29 VhnsBWZ81ocUAyDaDaBY.exe 14->29         started        98 6 other malicious files 16->98 dropped 202 Found many strings related to Crypto-Wallets (likely being stolen) 16->202 204 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->204 31 LrrWvQISvY3oWXxFQWgn.exe 16->31         started        122 23.51.58.94 TMNET-AS-APTMNetInternetServiceProviderMY United States 18->122 124 193.233.132.56 FREE-NET-ASFREEnetEU Russian Federation 18->124 128 2 other IPs or domains 18->128 88 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 18->88 dropped 90 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 18->90 dropped 92 SystemMechanic_548...38868BD1.exe (copy), PE32 18->92 dropped 100 6 other malicious files 18->100 dropped 206 Benign windows process drops PE files 18->206 208 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->208 210 Tries to evade debugger and weak emulator (self modifying code) 18->210 212 Tries to detect virtualization through RDTSC time measurements 18->212 file5 signatures6 process7 dnsIp8 102 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->102 104 104.26.5.15 CLOUDFLARENETUS United States 20->104 72 C:\Users\user\...\shfGxLxUsEji7QeLZsgt.exe, PE32 20->72 dropped 74 C:\Users\user\...\ab7x6oSq65lgNPEY48NU.exe, PE32 20->74 dropped 76 C:\Users\user\...\1Mi4Jvb6bMt1xn8s8A2K.exe, PE32 20->76 dropped 80 15 other malicious files 20->80 dropped 164 Detected unpacking (changes PE section rights) 20->164 166 Binary is likely a compiled AutoIt script file 20->166 168 Tries to steal Mail credentials (via file / registry access) 20->168 182 5 other signatures 20->182 35 1Mi4Jvb6bMt1xn8s8A2K.exe 20->35         started        51 4 other processes 20->51 78 C:\Users\user\AppData\Local\...\explorha.exe, PE32 25->78 dropped 184 4 other signatures 25->184 38 explorha.exe 25->38         started        170 Multi AV Scanner detection for dropped file 27->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 27->172 174 Writes to foreign memory regions 27->174 186 3 other signatures 27->186 40 RegAsm.exe 27->40         started        43 conhost.exe 27->43         started        106 193.233.132.74 FREE-NET-ASFREEnetEU Russian Federation 33->106 108 217.195.207.156 ASFIBERSUNUCUTR Turkey 33->108 110 41.216.183.153 AS40676US South Africa 33->110 176 System process connects to network (likely due to code injection or exploit) 33->176 178 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->178 180 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->180 188 4 other signatures 33->188 45 rundll32.exe 25 33->45         started        47 RegAsm.exe 33->47         started        49 RegAsm.exe 33->49         started        53 7 other processes 33->53 file9 signatures10 process11 dnsIp12 138 Tries to detect sandboxes / dynamic malware analysis system (registry check) 35->138 140 Detected unpacking (changes PE section rights) 38->140 142 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->142 160 3 other signatures 38->160 112 172.67.217.100 CLOUDFLARENETUS United States 40->112 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->144 146 Query firmware table information (likely to detect VMs) 40->146 148 Found many strings related to Crypto-Wallets (likely being stolen) 40->148 150 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->150 152 Tries to steal Instant Messenger accounts or passwords 45->152 154 Uses netsh to modify the Windows network and firewall settings 45->154 162 2 other signatures 45->162 55 powershell.exe 45->55         started        58 netsh.exe 2 45->58         started        114 172.67.147.173 CLOUDFLARENETUS United States 47->114 156 Tries to steal Crypto Currency Wallets 47->156 158 Tries to harvest and steal browser information (history, passwords, etc) 49->158 60 conhost.exe 51->60         started        62 conhost.exe 51->62         started        64 conhost.exe 51->64         started        66 conhost.exe 51->66         started        116 4.185.137.132 LEVEL3US United States 53->116 signatures13 process14 file15 82 C:\Users\user\...\246122658369_Desktop.zip, Zip 55->82 dropped 68 conhost.exe 55->68         started        70 conhost.exe 58->70         started        process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-03-21 05:47:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uprcyfntaddkfebiacqspyvdmtymk4dqigwn7gcr5ddxib7jmorq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:risepro family:zgrat botnet:livetraffic discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240321-ggv9naec2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
RisePro
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.32
4.185.137.132:1632
193.233.132.62:58709
193.233.132.74:58709
http://193.233.132.56
https://resergvearyinitiani.shop/api
https://relevantvoicelesskw.shop/api
Unpacked files
SH256 hash:
e38351223307db9e6cae16d6ee8a2a4de0a9063f2c66833ca35f2fdae21c71b7
MD5 hash:
47ffb2dfef1ae7cc877d429d6205da44
SHA1 hash:
90f407ee3cba673374419124bc3063469feffb8d
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/decd9ef8-e7ad-407b-85d7-41bfa6e8d784/
SH256 hash:
a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3
MD5 hash:
2d0066cc4ed344e8330d9dcb9f8ca385
SHA1 hash:
78bd228d8dbe0b7db0d74f2630adfc051740743f
Link:
https://www.unpac.me/results/decd9ef8-e7ad-407b-85d7-41bfa6e8d784/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3e22c15b300/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a3e22c15b300c6a2902800a127e2a364f0c5707041acdf9851e8c77407e963a3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
URLhaus
https://urlhaus.abuse.ch/url/2759927/
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-03-21 05:46:52 UTC

url : hxxp://185.215.113.45/mine/amert.exe