MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e65380e98c1f0a3f8552bcd35090f14cfb74973ed39b7b5482d3d42a78e08a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5e65380e98c1f0a3f8552bcd35090f14cfb74973ed39b7b5482d3d42a78e08a
SHA3-384 hash: abf30223bd666742d263a77e324075eb72eb799e9ac8bafd859f6e15b4a9b81f2f26824c56b47226c003fd4529f216d0
SHA1 hash: 22080faaa8259eed4723eee0d045890e866b9d8d
MD5 hash: bce8d1c24aaa492237eef8ab39403025
humanhash: timing-queen-happy-utah
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'092'992 bytes
First seen:2024-12-21 09:12:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:59M5PDq9UpDX3WamgOuWAu0OTm7bp9ZQ1Lwp4lyQ9J0K:59KPDUUpLJmgOpAuz2bp9ZewpIyQ3
TLSH T1B6E54A93B585B2CFE08A17788527CD829A6D43B9072448C3E86C657FBEE7CC515BEC24
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-21 09:13:26 UTC
Tags:
amadey botnet stealer loader auto coinminer autoit arch-exec cryptbot telegram lumma github stealc gcleaner credentialflusher themida
Link:
https://app.any.run/tasks/8b3432de-8259-4bc7-b007-5f6d02f2c527

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.17681.6507.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676686a275bf3268d2fd6185
Tags:
vmdetect autorun autoit lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6766869f8134167603967665/reports/a5d8dd83-7ea4-4067-8c07-7fd1a270a5a3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a5e65380e98c1f0a3f8552bcd35090f14cfb74973ed39b7b5482d3d42a78e08a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2a350e1d-c76c-4bd4-b092-518fe696ba44
Result
Threat name:
LummaC, Amadey, Cryptbot, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1579265
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Leaks process information
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579265 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 156 toptek.sbs 2->156 158 www.google.com 2->158 160 7 other IPs or domains 2->160 190 Suricata IDS alerts for network traffic 2->190 192 Found malware configuration 2->192 194 Malicious sample detected (through community Yara rule) 2->194 196 20 other signatures 2->196 11 skotes.exe 39 2->11         started        16 file.exe 5 2->16         started        18 skotes.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 170 185.215.113.43, 49750, 49759, 49776 WHOLESALECONNECTIONSNL Portugal 11->170 172 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->172 174 31.41.244.11, 49765, 49781, 49808 AEROEXPRESS-ASRU Russian Federation 11->174 140 C:\Users\user\AppData\...\43a8c4054b.exe, PE32 11->140 dropped 142 C:\Users\user\AppData\...\f9567e9ef8.exe, PE32 11->142 dropped 144 C:\Users\user\AppData\...\331488c9a5.exe, PE32 11->144 dropped 150 13 other malicious files 11->150 dropped 266 3 other signatures 11->266 22 d208a35154.exe 11->22         started        26 01d781eb0f.exe 29 11->26         started        28 8b67fa16f7.exe 11->28         started        37 2 other processes 11->37 146 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->146 dropped 148 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->148 dropped 242 Detected unpacking (changes PE section rights) 16->242 244 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->244 246 Tries to evade debugger and weak emulator (self modifying code) 16->246 248 Tries to detect virtualization through RDTSC time measurements 16->248 31 skotes.exe 16->31         started        250 Antivirus detection for dropped file 18->250 252 Multi AV Scanner detection for dropped file 18->252 254 Machine Learning detection for dropped file 18->254 256 Writes many files with high entropy 18->256 258 Suspicious powershell command line found 20->258 260 Found strings related to Crypto-Mining 20->260 262 Injects code into the Windows Explorer (explorer.exe) 20->262 264 Modifies the context of a thread in another process (thread injection) 20->264 33 powershell.exe 20->33         started        35 explorer.exe 20->35         started        file6 signatures7 process8 dnsIp9 102 C:\Users\user\AppData\Local\Temp\...\file.bin, Zip 22->102 dropped 104 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 22->104 dropped 106 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 22->106 dropped 198 Multi AV Scanner detection for dropped file 22->198 200 Writes many files with high entropy 22->200 39 cmd.exe 22->39         started        108 C:\Users\user\AppData\Local\Temp\Wanting, data 26->108 dropped 110 C:\Users\user\AppData\Local\Temp\Sheets, data 26->110 dropped 112 C:\Users\user\AppData\Local\Temp\Judy, data 26->112 dropped 114 C:\Users\user\AppData\Local\Temp\Another, data 26->114 dropped 43 cmd.exe 2 26->43         started        176 fivetk5ht.top 185.121.15.192, 49851, 80 REDSERVICIOES Spain 28->176 178 httpbin.org 34.226.108.155, 443, 49842 AMAZON-AESUS United States 28->178 180 home.fivetk5ht.top 28->180 202 Antivirus detection for dropped file 28->202 204 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->204 206 Machine Learning detection for dropped file 28->206 208 Tries to evade debugger and weak emulator (self modifying code) 28->208 210 Hides threads from debuggers 31->210 212 Tries to detect sandboxes / dynamic malware analysis system (registry check) 31->212 214 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 31->214 45 PING.EXE 33->45         started        48 conhost.exe 33->48         started        182 github.com 20.233.83.145 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->182 184 raw.githubusercontent.com 185.199.108.133 FASTLYUS Netherlands 37->184 186 treehoneyi.click 172.67.180.113 CLOUDFLARENETUS United States 37->186 116 C:\...\3477ac361a61484faa59cc92fe88289c.exe, PE32 37->116 dropped 118 C:\...\2d28fff282f940b9a303e100d9504cbd.exe, PE32 37->118 dropped 216 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->216 218 Adds a directory exclusion to Windows Defender 37->218 220 LummaC encrypted strings found 37->220 50 powershell.exe 37->50         started        52 powershell.exe 37->52         started        54 conhost.exe 37->54         started        file10 signatures11 process12 dnsIp13 120 C:\Users\user\AppData\...\file.zip (copy), Zip 39->120 dropped 222 Uses cmd line tools excessively to alter registry or file data 39->222 224 Writes many files with high entropy 39->224 56 in.exe 39->56         started        60 7z.exe 39->60         started        62 7z.exe 39->62         started        73 9 other processes 39->73 122 C:\Users\user\AppData\Local\Temp\...\Dry.com, PE32 43->122 dropped 226 Drops PE files with a suspicious file extension 43->226 64 Dry.com 23 43->64         started        67 cmd.exe 2 43->67         started        75 8 other processes 43->75 188 127.1.10.1 unknown unknown 45->188 228 Loading BitLocker PowerShell Module 50->228 69 conhost.exe 50->69         started        71 conhost.exe 52->71         started        file14 signatures15 process16 dnsIp17 124 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 56->124 dropped 230 Suspicious powershell command line found 56->230 232 Uses cmd line tools excessively to alter registry or file data 56->232 234 Uses schtasks.exe or at.exe to add and modify task schedules 56->234 77 powershell.exe 56->77         started        80 attrib.exe 56->80         started        82 attrib.exe 56->82         started        84 schtasks.exe 56->84         started        126 C:\Users\user\AppData\Local\...\file_7.zip, Zip 60->126 dropped 236 Writes many files with high entropy 60->236 128 C:\Users\user\AppData\Local\...\file_6.zip, Zip 62->128 dropped 152 toptek.sbs 94.130.188.57, 443, 49829, 49835 HETZNER-ASDE Germany 64->152 154 t.me 149.154.167.99, 443, 49823 TELEGRAMRU United Kingdom 64->154 238 Attempt to bypass Chrome Application-Bound Encryption 64->238 240 Tries to harvest and steal browser information (history, passwords, etc) 64->240 86 chrome.exe 64->86         started        130 C:\Users\user\AppData\Local\Temp\245347\b, data 67->130 dropped 132 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 73->132 dropped 134 C:\Users\user\AppData\Local\...\file_5.zip, Zip 73->134 dropped 136 C:\Users\user\AppData\Local\...\file_4.zip, Zip 73->136 dropped 138 3 other malicious files 73->138 dropped file18 signatures19 process20 dnsIp21 268 Uses ping.exe to check the status of other devices and networks 77->268 89 PING.EXE 77->89         started        92 conhost.exe 77->92         started        94 conhost.exe 80->94         started        96 conhost.exe 82->96         started        98 conhost.exe 84->98         started        162 192.168.2.4, 443, 49724, 49750 unknown unknown 86->162 164 239.255.255.250 unknown Reserved 86->164 100 chrome.exe 86->100         started        signatures22 process23 dnsIp24 166 127.0.0.1 unknown unknown 89->166 168 www.google.com 172.217.19.228 GOOGLEUS United States 100->168
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5e65380e98c1f0a3f8552bcd35090f14cfb74973ed39b7b5482d3d42a78e08a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5e65380e98c1f0a3f8552bcd35090f14cfb74973ed39b7b5482d3d42a78e08a/
Threat name:
Win32.Trojan.CryptBot
Create hunting rule
Status:
Malicious
First seen:
2024-12-21 09:13:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxtfhahjrqpqup4fkk6ngueq6fgpw5exh3jzw62uqlj5ikty4cfa._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:lumma family:stealc family:vidar botnet:9c9aa5 botnet:stok credential_access discovery evasion execution loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/241221-k6qx1sxlhq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Vidar
Vidar family
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b2bc140-9988-4b42-aa03-c9e313c5b27e
Unpacked files
SH256 hash:
eedbf0d3410b74c25d41d2da748b0974c460db4cbc0ad6ac9dc792ce5c3b3376
MD5 hash:
63fb226c35e3397e5d4eadf46ec9946f
SHA1 hash:
809d9cdd294b41e383a58964b7db78c0b41d09f7
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/a89a9fa8-1074-4f85-afea-6c47963ee3ff/
SH256 hash:
a5e65380e98c1f0a3f8552bcd35090f14cfb74973ed39b7b5482d3d42a78e08a
MD5 hash:
bce8d1c24aaa492237eef8ab39403025
SHA1 hash:
22080faaa8259eed4723eee0d045890e866b9d8d
Link:
https://www.unpac.me/results/a89a9fa8-1074-4f85-afea-6c47963ee3ff/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5e65380e98c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a5e65380e98c1f0a3f8552bcd35090f14cfb74973ed39b7b5482d3d42a78e08a

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338012/
  
URLhaus
https://urlhaus.abuse.ch/url/3338043/
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments