MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a40ca1799d213fd00ae20f5460456bbad0d9f5c8bf19d7a6013d2a54dd3bd150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a40ca1799d213fd00ae20f5460456bbad0d9f5c8bf19d7a6013d2a54dd3bd150
SHA3-384 hash: d2b7e8a1fff9b2e3b635c6e9e44766e7f1b84b249edad38473777b8964bf648208751fe0d711462ba4ce3aec242a0f8d
SHA1 hash: 9e5b1c32a978f9cf6ee14de90e49d190b944b32c
MD5 hash: 7d0e3462a75ce00a696e961e9b70effb
humanhash: cat-five-twenty-charlie
File name:SoftwareSetupFile.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'256'832 bytes
First seen:2022-12-03 06:43:10 UTC
Last seen:2022-12-03 08:30:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:lp/262qMObXa0z2WLEO1gcdB9w2CAPHyVuTF:lpFau2SE8h9nnT
Threatray 88 similar samples on MalwareBazaar
TLSH T1B0E523027A46DB12D49C3D7126ED74593FEEFCC74A7E600EEF123A751EB9880985720A
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon ccccdcdc8eccf030 (14 x RedLineStealer, 3 x ArkeiStealer, 1 x RecordBreaker)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SoftwareSetupFile.exe
Verdict:
No threats detected
Analysis date:
2022-12-03 06:44:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4733849f-1a26-4a2c-8939-1b73dfaffc1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342166/
Detection(s):
SecuriteInfo.com.Win64.BotX-gen.2391.20368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Searching for analyzing tools
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638af034f6e448d42df70f15/reports/2a256cf6-70ed-4b1c-b338-6e6d2cd7b7fd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Yanluowang
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecc02b46-28dc-4bde-b93b-0b8d65d48bdc
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126983
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a40ca1799d213fd00ae20f5460456bbad0d9f5c8bf19d7a6013d2a54dd3bd150/
Threat name:
ByteCode-MSIL.Downloader.Deyma
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 08:38:19 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
14 of 26 (53.85%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqgkc6m5ee75acxcb5kgarllxlint5oix4m5pjqbhuvfjxj32fia._file
Verdict:
malicious
Similar samples:
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a
Amadey
63018f38311387aa7f511f090fd154ea6ec3799c2f4762890082793912c68146
Amadey
7dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b
Amadey
7e197097351b093b6698ed9634e8ae0dbd7bc4aa65470bde4ce131c4de641f64
Amadey
80991222b1cf2e863e1e8ac51b6fe90cf0b701df1d8af8c3a9ce9ec10e089f77
Amadey
873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42
Amadey
886a69165bbc6a7c3eddcbfa8bf1a037a4bd3f0e6a0d4d0627c0bc01ecc394bc
Amadey
+ 78 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey persistence trojan
Link:
https://tria.ge/reports/221203-hhg9vsch62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Amadey
Malware Config
C2 Extraction:
31.41.244.158/Mb1sDv3/index.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4dc49e4-24c2-4d8a-b7b8-d83b8932655a
Unpacked files
SH256 hash:
a40ca1799d213fd00ae20f5460456bbad0d9f5c8bf19d7a6013d2a54dd3bd150
MD5 hash:
7d0e3462a75ce00a696e961e9b70effb
SHA1 hash:
9e5b1c32a978f9cf6ee14de90e49d190b944b32c
Link:
https://www.unpac.me/results/8c6497cb-9063-49a2-b5bc-77053fbf9eed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a40ca1799d21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/a40ca1799d213fd00ae20f5460456bbad0d9f5c8bf19d7a6013d2a54dd3bd150

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342166/

Comments