MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a793513b8de4a882b0b9ea762bb37d029b557b5061d85dce1064dd66006ca2bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a793513b8de4a882b0b9ea762bb37d029b557b5061d85dce1064dd66006ca2bc
SHA3-384 hash: 4c8cdb195a7d6c6ddf2be747de7b895cebac36d73bb4f746060fafcfcefe102c39c33bbc58f26d33b830e5cf01a038df
SHA1 hash: 20b794ce89c8192feba8200bedf47a4d3b2f032a
MD5 hash: e43ca6c6bff0b2ff9c4c3621ba1a206d
humanhash: butter-king-south-rugby
File name:e43ca6c6bff0b2ff9c4c3621ba1a206d.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:253'304 bytes
First seen:2023-09-10 22:25:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 6144:kM1Ukz6DCGbAR/VeDC1tAOTcCywRLYurBiIg:kdkzaC+UjuLwuurBiIg
Threatray 34 similar samples on MalwareBazaar
TLSH T106349D11B4D1C433D832153609F0EBB55A3EB9600B659AEFA7A40F7E4F303C1AB75A66
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e43ca6c6bff0b2ff9c4c3621ba1a206d.exe
Verdict:
No threats detected
Analysis date:
2023-09-10 22:27:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a7a9ede-81c8-441a-a948-5f6b832cf936

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447775/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.19965.14297.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/a793513b8de4a882b0b9ea762bb37d029b557b5061d85dce1064dd66006ca2bc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4036db40-54dd-4fa9-8e36-e7fec7d19ccc
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306933
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1306933 Sample: SbwOkFTpRO.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 128 tse1.mm.bing.net 2->128 170 Snort IDS alert for network traffic 2->170 172 Found malware configuration 2->172 174 Malicious sample detected (through community Yara rule) 2->174 176 13 other signatures 2->176 13 SbwOkFTpRO.exe 1 2->13         started        16 ffdfwdr 2->16         started        18 oneetx.exe 2->18         started        20 oneetx.exe 2->20         started        signatures3 process4 signatures5 220 Contains functionality to inject code into remote processes 13->220 222 Writes to foreign memory regions 13->222 224 Allocates memory in foreign processes 13->224 226 Injects a PE file into a foreign processes 13->226 22 AppLaunch.exe 13->22         started        25 WerFault.exe 23 9 13->25         started        27 conhost.exe 13->27         started        29 AppLaunch.exe 13->29         started        process6 signatures7 208 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->208 210 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->210 212 Maps a DLL or memory area into another process 22->212 214 2 other signatures 22->214 31 explorer.exe 4 17 22->31 injected process8 dnsIp9 142 79.137.192.18, 49722, 80 PSKSET-ASRU Russian Federation 31->142 144 77.91.68.29, 49710, 49714, 49717 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 31->144 146 3 other IPs or domains 31->146 94 C:\Users\user\AppData\Roaming\ffdfwdr, PE32 31->94 dropped 96 C:\Users\user\AppData\Local\Temp\DEBC.exe, PE32 31->96 dropped 98 C:\Users\user\AppData\Local\Temp\A4D0.exe, PE32 31->98 dropped 100 3 other malicious files 31->100 dropped 164 System process connects to network (likely due to code injection or exploit) 31->164 166 Benign windows process drops PE files 31->166 168 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->168 36 718F.exe 4 31->36         started        40 DEBC.exe 4 31->40         started        42 25DB.exe 31->42         started        44 2 other processes 31->44 file10 signatures11 process12 dnsIp13 102 C:\Users\user\AppData\Local\...\x9474168.exe, PE32 36->102 dropped 104 C:\Users\user\AppData\Local\...\k7319947.exe, PE32 36->104 dropped 194 Antivirus detection for dropped file 36->194 196 Machine Learning detection for dropped file 36->196 47 x9474168.exe 4 36->47         started        106 C:\Users\user\AppData\Local\...\y6547779.exe, PE32 40->106 dropped 108 C:\Users\user\AppData\Local\...\p6362489.exe, PE32 40->108 dropped 51 y6547779.exe 4 40->51         started        110 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 42->110 dropped 198 Multi AV Scanner detection for dropped file 42->198 53 oneetx.exe 42->53         started        138 162.33.179.91, 49731, 80 CORENETUS United States 44->138 140 api.ip.sb 44->140 200 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->200 202 Found many strings related to Crypto-Wallets (likely being stolen) 44->202 204 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->204 206 5 other signatures 44->206 56 vbc.exe 44->56         started        file14 signatures15 process16 dnsIp17 120 C:\Users\user\AppData\Local\...\x9208225.exe, PE32 47->120 dropped 122 C:\Users\user\AppData\Local\...\j5930589.exe, PE32 47->122 dropped 148 Antivirus detection for dropped file 47->148 150 Machine Learning detection for dropped file 47->150 58 x9208225.exe 4 47->58         started        124 C:\Users\user\AppData\Local\...\y5673150.exe, PE32 51->124 dropped 126 C:\Users\user\AppData\Local\...\o7943666.exe, PE32 51->126 dropped 62 y5673150.exe 51->62         started        130 5.42.65.80, 49728, 49729, 49730 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 53->130 152 Multi AV Scanner detection for dropped file 53->152 154 Creates an undocumented autostart registry key 53->154 156 Uses schtasks.exe or at.exe to add and modify task schedules 53->156 64 cmd.exe 53->64         started        66 schtasks.exe 53->66         started        132 176.123.9.85, 16482, 49726 ALEXHOSTMD Moldova Republic of 56->132 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->158 160 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->160 162 Tries to steal Crypto Currency Wallets 56->162 file18 signatures19 process20 file21 112 C:\Users\user\AppData\Local\...\i7055000.exe, PE32 58->112 dropped 114 C:\Users\user\AppData\Local\...\g1062605.exe, PE32 58->114 dropped 216 Antivirus detection for dropped file 58->216 218 Machine Learning detection for dropped file 58->218 68 i7055000.exe 58->68         started        71 g1062605.exe 1 58->71         started        116 C:\Users\user\AppData\Local\...\n9203655.exe, PE32 62->116 dropped 118 C:\Users\user\AppData\Local\...\m2077835.exe, PE32 62->118 dropped 73 n9203655.exe 62->73         started        76 m2077835.exe 62->76         started        78 conhost.exe 64->78         started        80 cmd.exe 64->80         started        82 cacls.exe 64->82         started        86 4 other processes 64->86 84 conhost.exe 66->84         started        signatures22 process23 dnsIp24 178 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 68->178 180 Writes to foreign memory regions 71->180 182 Allocates memory in foreign processes 71->182 184 Injects a PE file into a foreign processes 71->184 88 AppLaunch.exe 1 71->88         started        90 conhost.exe 71->90         started        92 WerFault.exe 71->92         started        134 77.91.124.82, 19071, 49723, 49724 ECOTEL-ASRU Russian Federation 73->134 186 Antivirus detection for dropped file 73->186 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->188 190 Machine Learning detection for dropped file 73->190 192 Found many strings related to Crypto-Wallets (likely being stolen) 73->192 136 5.42.92.211, 49719, 49756, 49762 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 76->136 signatures25 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a793513b8de4a882b0b9ea762bb37d029b557b5061d85dce1064dd66006ca2bc/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Suspicious
First seen:
2023-09-10 22:26:06 UTC
File Type:
PE (Exe)
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6jvco4n4suifmfz5j3cxm35aknvk62qmhmf3tqqmtowmadmuk6a._file
Verdict:
unknown
Similar samples:
0e527f21ad917b87f93f2cd665f5e5b8ca6f51a2505a5002e3bc8309335a75d2
Amadey
2c8bd244edb14b9b5b52ab73e7e0c9042347bfaf4df70e9cdc15794f45d3212d
Amadey
87a93f4ea20e45fe032aa2032650a9fcd2bd9b1f7979e1712b69219f0badb4e5
Amadey
9639194d52836b05f842c10260f9e93bb96d17fcca0a492d870455c6c6640a74
Amadey
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
Amadey
9dbd99fa1c2374f30796069965e0e29d727295ce2a700a3a27cc7c384ab1a60d
Amadey
b1e2a3c398285245e9f23bcc6ed924620c76a703f6403495e29fd13df598131a
Amadey
c3de8f808b7c5b3b37549bb8b6bea11463eed6a74532797f9a4214c1b5ea747f
Amadey
cca65a9ffc4cc09af8e29a65071ff6b5c2b10086caa8ca201322fab28d46a48d
Amadey
e6bf0f01bd6fe616d8f3f65fdf8c1fead831e5607a406a256661b0d9ab0098b6
Amadey
+ 24 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230910-2cgwpaca3w/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
a793513b8de4a882b0b9ea762bb37d029b557b5061d85dce1064dd66006ca2bc
MD5 hash:
e43ca6c6bff0b2ff9c4c3621ba1a206d
SHA1 hash:
20b794ce89c8192feba8200bedf47a4d3b2f032a
Link:
https://www.unpac.me/results/c0f68dfa-dbf5-4c64-9868-15fd9383c9dc/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a793513b8de4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/a793513b8de4a882b0b9ea762bb37d029b557b5061d85dce1064dd66006ca2bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a793513b8de4a882b0b9ea762bb37d029b557b5061d85dce1064dd66006ca2bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710381/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447775/

Comments