MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7
SHA3-384 hash: 5842addb097c694a942767b10a5c0214672d8dbbd9e3bdc3476f2271e4c90127abecaccc337c7659d0e271151d6fe9e0
SHA1 hash: ac38de5564953b63ba3a221ba218364f78d79375
MD5 hash: e36a340568cf42594f0c60ef1ae6a0b1
humanhash: arkansas-maine-quiet-montana
File name:E36A340568CF42594F0C60EF1AE6A0B1.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:445'440 bytes
First seen:2024-07-28 12:35:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f524bbe3419681c6783b5efcee446fb5 (2 x Amadey)
ssdeep 12288:zRflODpTjWeCSqvLoJLtDJD3NSbsBW5u2Ogl:V8lTjDCSqvsJxBQbLR
TLSH T1C9946C213952C032C65092711E68FFF5D4EDE9259B710ADB77C40F7AAE211E26A31F3A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://185.215.113.101/g99kdj4vsA/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.101/g99kdj4vsA/index.php https://threatfox.abuse.ch/ioc/1304483/

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a63b3446f80f37dcaa906c
Tags:
Execution Generic Infostealer Network Stealth Trojan Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Delayed reading of the file
Creating a file in the %AppData% subdirectories
Launching a process
Launching the process to change network settings
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
amadey amadey epmicrosoft_visual_cc lolbin microsoft_visual_cc shell32 stealer zusy
Link:
https://www.filescan.io/uploads/66a63b34bd793c18bfb6e1cd/reports/0192b46d-dfcf-48dc-b524-7d7b10a532ad/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd9b07a2-13fc-4c49-913f-8fa75c5684b2
Result
Threat name:
Amadey, LockBit ransomware, PureLog Stea
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483656
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes the wallpaper picture
Contains functionality to inject code into remote processes
Deletes itself after installation
Drops PE files with a suspicious file extension
Found malware configuration
Found ransom note / readme
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected LockBit ransomware
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483656 Sample: 8Y78ZNdmmQ.exe Startdate: 28/07/2024 Architecture: WINDOWS Score: 100 155 Found malware configuration 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 Antivirus detection for dropped file 2->159 161 24 other signatures 2->161 10 Hkbsse.exe 38 2->10         started        14 Hkbsse.exe 2->14         started        16 8Y78ZNdmmQ.exe 5 2->16         started        19 4 other processes 2->19 process3 dnsIp4 143 185.215.113.101 WHOLESALECONNECTIONSNL Portugal 10->143 119 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->119 dropped 121 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->121 dropped 123 C:\Users\user\AppData\Local\Temp\...\s5.exe, PE32 10->123 dropped 129 6 other malicious files 10->129 dropped 21 s5.exe 10->21         started        25 HostelCurves.exe 10->25         started        28 rundll32.exe 10->28         started        30 rundll32.exe 12 10->30         started        32 rundll32.exe 14->32         started        34 rundll32.exe 14->34         started        125 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 16->125 dropped 127 C:\Users\user\...\Hkbsse.exe:Zone.Identifier, ASCII 16->127 dropped 151 Contains functionality to inject code into remote processes 16->151 36 Hkbsse.exe 16->36         started        145 20.42.73.26 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->145 147 52.109.32.7 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->147 149 4 other IPs or domains 19->149 153 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->153 38 Pixelize.pif 19->38         started        40 Pixelize.pif 19->40         started        file5 signatures6 process7 dnsIp8 141 162.19.58.161 CENTURYLINK-US-LEGACY-QWESTUS United States 21->141 163 Multi AV Scanner detection for dropped file 21->163 165 Machine Learning detection for dropped file 21->165 167 Writes to foreign memory regions 21->167 173 2 other signatures 21->173 42 AddInProcess32.exe 21->42         started        46 AddInProcess32.exe 21->46         started        48 AddInProcess32.exe 21->48         started        101 C:\Users\user\AppData\Local\Temp\Toyota, data 25->101 dropped 103 C:\Users\user\AppData\Local\Temp\Tagged, data 25->103 dropped 105 C:\Users\user\AppData\Local\Temp\Repair, data 25->105 dropped 107 5 other malicious files 25->107 dropped 169 Found stalling execution ending in API Sleep call 25->169 171 Writes many files with high entropy 25->171 50 cmd.exe 25->50         started        52 rundll32.exe 21 28->52         started        54 rundll32.exe 32->54         started        file9 signatures10 process11 file12 109 C:\Users\...\content-prefs.sqlite.axOkKRj8m, DOS 42->109 dropped 111 C:\Users\user\...\wctDB2E.tmp.axOkKRj8m, DOS 42->111 dropped 113 DESKTOP-AGET0TR-20...-1258.log.axOkKRj8m, DOS 42->113 dropped 117 261 other malicious files 42->117 dropped 185 Overwrites Mozilla Firefox settings 42->185 187 Tries to harvest and steal browser information (history, passwords, etc) 42->187 189 Writes to foreign memory regions 42->189 207 2 other signatures 42->207 56 94D6.tmp 42->56         started        59 splwow64.exe 42->59         started        209 2 other signatures 46->209 61 InstallUtil.exe 46->61         started        115 C:\Users\user\AppData\Local\...\Racing.pif, PE32 50->115 dropped 191 Drops PE files with a suspicious file extension 50->191 193 Uses schtasks.exe or at.exe to add and modify task schedules 50->193 195 Writes many files with high entropy 50->195 63 Racing.pif 50->63         started        74 9 other processes 50->74 197 Uses netsh to modify the Windows network and firewall settings 52->197 199 Tries to harvest and steal WLAN passwords 52->199 66 powershell.exe 26 52->66         started        68 netsh.exe 2 52->68         started        201 System process connects to network (likely due to code injection or exploit) 54->201 203 Tries to steal Instant Messenger accounts or passwords 54->203 205 Tries to harvest and steal ftp login credentials 54->205 70 powershell.exe 54->70         started        72 netsh.exe 54->72         started        signatures13 process14 file15 175 Hides threads from debuggers 56->175 177 Deletes itself after installation 56->177 76 cmd.exe 56->76         started        78 conhost.exe 61->78         started        131 C:\Users\user\AppData\Local\...\Pixelize.pif, PE32 63->131 dropped 133 C:\Users\user\AppData\Local\...\d, data 63->133 dropped 135 C:\Users\user\AppData\Local\...\Pixelize.js, ASCII 63->135 dropped 179 Drops PE files with a suspicious file extension 63->179 181 Writes many files with high entropy 63->181 80 cmd.exe 63->80         started        83 cmd.exe 63->83         started        137 C:\Users\user\...\246122658369_Desktop.zip, Zip 66->137 dropped 183 Loading BitLocker PowerShell Module 66->183 85 conhost.exe 66->85         started        87 conhost.exe 68->87         started        89 conhost.exe 70->89         started        91 conhost.exe 72->91         started        139 C:\Users\user\AppData\Local\Temp\419651\P, data 74->139 dropped signatures16 process17 file18 99 C:\Users\user\AppData\...\Pixelize.url, MS 80->99 dropped 93 conhost.exe 80->93         started        95 conhost.exe 83->95         started        97 schtasks.exe 83->97         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-07-18 22:15:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ux5chkv6plzosql5uzhiral3e4vmtfa5nppyb2mnzkbssylxz2tq._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:0163e2 credential_access defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer trojan
Link:
https://tria.ge/reports/240728-psw94axejq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (652) files with added filename extension
Amadey
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.101
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4fb50226-08bd-4bdd-847c-ee89ac07d0c2
Unpacked files
SH256 hash:
a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7
MD5 hash:
e36a340568cf42594f0c60ef1ae6a0b1
SHA1 hash:
ac38de5564953b63ba3a221ba218364f78d79375
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/d3cb4b8e-afc3-4a2a-b80b-7712d399b2e6/
Parent samples :
a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7
52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.amadey.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipGetImageEncoders
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetSidIdentifierAuthority
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
ADVAPI32.dll::LookupAccountNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments