MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a62957f0f0841d1beae382566873d05785fa5c2ed0949a996c0778602ca4c288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a62957f0f0841d1beae382566873d05785fa5c2ed0949a996c0778602ca4c288
SHA3-384 hash: 58b4e0a98df25cd0fa2e297050687babf775f2ff6e1c85d27c228d0d2cb6dd2cf8518547f45a4fbb021816b53b718b02
SHA1 hash: c2dc4114b6ec0cb498cd6554b19e6c0ca223a88d
MD5 hash: caad077f15221b206bb12c3184c66542
humanhash: harry-failed-florida-pluto
File name:caad077f15221b206bb12c3184c66542.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'389'496 bytes
First seen:2022-06-06 17:01:13 UTC
Last seen:2022-06-06 17:38:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 59fdc9cf44445c51b55dc51f095af280 (2 x RedLineStealer, 1 x Amadey)
ssdeep 24576:KLnGNwjG42saUlHMoUsJ8rumjAHoF0Zei4QQgsn5HMKNOqXCuGI93h0MwlnFZnD5:endZU+Yu3gwf4vDn5HMKNRXtvRcFH
TLSH T18255128D62D49036EC6A6EB8457F7EF91432A85367A3B18F08D9705CEFB31D21246B07
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 801c8e837eaea7a2 (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe signed

Code Signing Certificate

Organisation:bbb.org
Issuer:Amazon
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-16T00:00:00Z
Valid to:2023-01-14T23:59:59Z
Serial number: 0d73c62656429bf41f5e54f06c655da1
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 19d8916d44cd76ddaf23d6db9bbaa42d92fc0327c42d1aef189e8eac23a43f16
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Amadey C2:
http://62.204.41.174/f8dfksdj3/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.204.41.174/f8dfksdj3/index.php https://threatfox.abuse.ch/ioc/658605/

Intelligence

File Origin
# of uploads :
2
# of downloads :
462
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
caad077f15221b206bb12c3184c66542.exe
Verdict:
Malicious activity
Analysis date:
2022-06-06 17:15:07 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/4caafcd9-a4a8-475e-9beb-f3796c8e09b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277102/
Detection(s):
SecuriteInfo.com.Variant.Jaik.79070.15802.23380.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/629e3316816de95910e1087d/reports/23a8716e-30ea-454d-8b92-4e6863c54c94/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1b427eab-e516-42ca-9ce6-cf3d080d7015
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007542
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a62957f0f0841d1beae382566873d05785fa5c2ed0949a996c0778602ca4c288/
Threat name:
Win32.Trojan.Nymaim
Create hunting rule
Status:
Malicious
First seen:
2022-06-02 00:14:10 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyuvp4hqqqorx2xdqjlgq46qk6c7uxbo2ckjvglma54galfeykea._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey suricata trojan
Link:
https://tria.ge/reports/220606-vj4wgaaaa2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Amadey
suricata: ET MALWARE Amadey CnC Check-In
Malware Config
C2 Extraction:
62.204.41.174/f8dfksdj3/index.php
Unpacked files
SH256 hash:
81edb8d7331165e9e7ece349106259bc60a0b9d3acf565551a2dc2752626ba21
MD5 hash:
e3f36eddb8c006356fdeb5e1f49632e8
SHA1 hash:
b7f813b854b680dd4da7f70111a1ee4a647fd405
Link:
https://www.unpac.me/results/96c2ad00-1f81-4000-a627-b2bf64508bbd/
SH256 hash:
973911b7ca3c24eb5d3690e67ae61badc8eb71749ef1d44b386a99c6ca76d052
MD5 hash:
89c979ff32fb8525a9620da03eb08f0d
SHA1 hash:
176ac862549124c578b6f32493c1b1d137091115
Link:
https://www.unpac.me/results/96c2ad00-1f81-4000-a627-b2bf64508bbd/
SH256 hash:
39de44e8a3b15e47b47979ce2fbe5fcb48fe77e55ce5d513ff9bb7094a87a268
MD5 hash:
02beab5bf5298374f7f746ed6aca0d6e
SHA1 hash:
03da99df3ca80cac1897a0aec63d8253023970be
Link:
https://www.unpac.me/results/96c2ad00-1f81-4000-a627-b2bf64508bbd/
SH256 hash:
a62957f0f0841d1beae382566873d05785fa5c2ed0949a996c0778602ca4c288
MD5 hash:
caad077f15221b206bb12c3184c66542
SHA1 hash:
c2dc4114b6ec0cb498cd6554b19e6c0ca223a88d
Link:
https://www.unpac.me/results/96c2ad00-1f81-4000-a627-b2bf64508bbd/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a62957f0f084/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a62957f0f0841d1beae382566873d05785fa5c2ed0949a996c0778602ca4c288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277102/

Comments