MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a777bbce91625e3261edebb334be8610372daaf0790763fc2fd085db35b8463d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a777bbce91625e3261edebb334be8610372daaf0790763fc2fd085db35b8463d
SHA3-384 hash: 0887fa02334aae7c3e1c5e53c10d48d61288e86899b4a3e88f1b6bd669e24d72d3f2fce85779c47def499368326912af
SHA1 hash: 413d73dd32bcce870cf5edd4b777051762882034
MD5 hash: 33a84ea233fe9fe1b4c85e533a228bbd
humanhash: edward-six-october-grey
File name:33a84ea233fe9fe1b4c85e533a228bbd
Download: download sample
Signature Amadey
Create hunting rule
File size:1'870'848 bytes
First seen:2024-07-26 11:46:09 UTC
Last seen:2024-07-26 13:21:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:70jEH8GosswSBQTiNQza4GYnSZrV2azV/r4wCY9W:704cwfSlQeAnSZpTIY9
TLSH T13A853363DFB4A999C40C6AFF243B54A72AB945DB856D2AC810BCE23CDC1F780B44E4D5
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.8111.3776.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a38c95458e130e002a9e9d
Tags:
Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66a38cbe4c5c17942a7e58a7/reports/d7f1a50c-f958-4062-a830-c5d6bb6134ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/80c7d1ec-9d3e-4f8b-8180-8aa27d79cdc8
Result
Threat name:
Amadey, Babadeda, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483008
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483008 Sample: 6SoKuOqyNh.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 105 www.youtube.com 2->105 107 www.wikipedia.org 2->107 109 48 other IPs or domains 2->109 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 Antivirus detection for URL or domain 2->139 141 13 other signatures 2->141 10 explorti.exe 2 19 2->10         started        15 6SoKuOqyNh.exe 5 2->15         started        17 explorti.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 131 185.215.113.16, 58982, 58984, 59056 WHOLESALECONNECTIONSNL Portugal 10->131 133 185.215.113.19, 58981, 58983, 58986 WHOLESALECONNECTIONSNL Portugal 10->133 93 C:\Users\user\AppData\...\bfb8bb0dc7.exe, PE32 10->93 dropped 95 C:\Users\user\AppData\Local\...\random[1].exe, PE32 10->95 dropped 97 C:\Users\user\AppData\Local\...\random[1].exe, PE32 10->97 dropped 99 C:\Users\user\1000003002\d27375200a.exe, PE32 10->99 dropped 175 Creates multiple autostart registry keys 10->175 177 Hides threads from debuggers 10->177 179 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->179 21 bfb8bb0dc7.exe 30 39 10->21         started        26 d27375200a.exe 8 10->26         started        101 C:\Users\user\AppData\Local\...\explorti.exe, PE32 15->101 dropped 103 C:\Users\...\explorti.exe:Zone.Identifier, ASCII 15->103 dropped 181 Detected unpacking (changes PE section rights) 15->181 183 Tries to evade debugger and weak emulator (self modifying code) 15->183 185 Tries to detect virtualization through RDTSC time measurements 15->185 28 explorti.exe 15->28         started        187 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->187 189 Maps a DLL or memory area into another process 19->189 30 cmd.exe 19->30         started        32 firefox.exe 19->32         started        34 msedge.exe 19->34         started        36 7 other processes 19->36 file6 signatures7 process8 dnsIp9 117 85.28.47.31, 58985, 59020, 59073 GES-ASRU Russian Federation 21->117 83 C:\Users\user\AppData\RoamingHJKECAAAFH.exe, PE32 21->83 dropped 85 C:\Users\user\AppData\RoamingFHJDBKJKFI.exe, PE32 21->85 dropped 87 C:\Users\user\AppData\...\softokn3[1].dll, PE32 21->87 dropped 89 13 other files (9 malicious) 21->89 dropped 143 Multi AV Scanner detection for dropped file 21->143 145 Detected unpacking (changes PE section rights) 21->145 147 Detected unpacking (overwrites its own PE header) 21->147 159 8 other signatures 21->159 38 cmd.exe 21->38         started        40 cmd.exe 21->40         started        149 Machine Learning detection for dropped file 26->149 42 cmd.exe 1 26->42         started        151 Tries to evade debugger and weak emulator (self modifying code) 28->151 153 Hides threads from debuggers 28->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->155 157 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 28->157 44 chrome.exe 30->44         started        46 firefox.exe 30->46         started        48 conhost.exe 30->48         started        50 msedge.exe 30->50         started        119 services.addons.mozilla.org 18.65.39.85, 443, 59100 MIT-GATEWAYSUS United States 32->119 125 9 other IPs or domains 32->125 52 firefox.exe 32->52         started        54 firefox.exe 32->54         started        121 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 59032 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->121 127 2 other IPs or domains 34->127 123 s-part-0045.t-0009.t-msedge.net 13.107.246.73, 443, 63391 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->123 129 2 other IPs or domains 36->129 file10 signatures11 process12 process13 56 RoamingFHJDBKJKFI.exe 38->56         started        60 conhost.exe 38->60         started        62 RoamingHJKECAAAFH.exe 40->62         started        64 conhost.exe 40->64         started        66 chrome.exe 42->66         started        69 msedge.exe 42->69         started        75 2 other processes 42->75 71 chrome.exe 44->71         started        73 firefox.exe 46->73         started        dnsIp14 91 C:\Users\user\AppData\Local\...\axplong.exe, PE32 56->91 dropped 161 Multi AV Scanner detection for dropped file 56->161 163 Detected unpacking (changes PE section rights) 56->163 165 Tries to evade debugger and weak emulator (self modifying code) 56->165 167 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 56->167 169 Tries to detect sandboxes and other dynamic analysis tools (window names) 62->169 171 Hides threads from debuggers 62->171 173 Tries to detect sandboxes / dynamic malware analysis system (registry check) 62->173 111 192.168.2.6, 443, 49707, 49712 unknown unknown 66->111 113 192.168.2.9 unknown unknown 66->113 115 239.255.255.250 unknown Reserved 66->115 77 chrome.exe 66->77         started        79 chrome.exe 66->79         started        81 msedge.exe 69->81         started        file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a777bbce91625e3261edebb334be8610372daaf0790763fc2fd085db35b8463d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a777bbce91625e3261edebb334be8610372daaf0790763fc2fd085db35b8463d/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-07-26 11:47:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u533xturmjpdeypn5oztjpugca3s3kxqpedwh7bp2cc5wnnyiy6q._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:monster family:redline family:stealc botnet:0657d1 botnet:25072023 botnet:fed3aa botnet:sila credential_access discovery evasion infostealer persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/240726-nxvrdswalr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detects Monster Stealer.
Monster
RedLine
RedLine payload
Stealc
Malware Config
C2 Extraction:
http://185.215.113.19
http://185.215.113.16
http://85.28.47.31
185.215.113.67:40960
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1f3883b0-9ef8-4122-a666-4fd677ba6281
Unpacked files
SH256 hash:
71eeee4c3e6ae82d2f44dbf1489bd2731c3fbb1b1e6ce1c67c1b8c7780fb5b23
MD5 hash:
6aaab21cd814dc18d0190881e5c9f03c
SHA1 hash:
bbfb129bc3786598d88c987236368df0e1e7db75
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/d151314f-a474-4dda-805d-ec47d0ba59cc/
SH256 hash:
a777bbce91625e3261edebb334be8610372daaf0790763fc2fd085db35b8463d
MD5 hash:
33a84ea233fe9fe1b4c85e533a228bbd
SHA1 hash:
413d73dd32bcce870cf5edd4b777051762882034
Link:
https://www.unpac.me/results/d151314f-a474-4dda-805d-ec47d0ba59cc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a777bbce9162/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a777bbce91625e3261edebb334be8610372daaf0790763fc2fd085db35b8463d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a777bbce91625e3261edebb334be8610372daaf0790763fc2fd085db35b8463d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3068170/
  
URLhaus
https://urlhaus.abuse.ch/url/3068463/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-07-26 11:46:09 UTC

url : hxxp://185.215.113.13/mine/enter.exe