MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb
SHA3-384 hash: 81f5d02f07e37c0cc95121379cb844dcbd13feeada79bcdae2cb748751662257fa9fbdfb61b2f6944ad60749c402e290
SHA1 hash: b0f8c247986305f8f1f83ea55bb04f6c748557ce
MD5 hash: c9624e4e0c6bbc83b57f844d1dc44102
humanhash: princess-avocado-quebec-louisiana
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'032'576 bytes
First seen:2024-12-20 22:10:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:jyKdaGFwF6TL+v1ndNBCT8HlTxD/S8jeHAleOOOOOOOOOOOOOOOOOOOOOOOOOOOU:XdzFwFYLGbNBCT6lV0ll
TLSH T100E53CB2760572CBD48A277C9427CD8259AD07FA4B2008E79C69B47F7E67CC215B6C2C
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
492
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-20 22:32:16 UTC
Tags:
amadey botnet stealer loader auto coinminer cryptbot arch-exec autoit telegram github lumma gcleaner stealc credentialflusher themida
Link:
https://app.any.run/tasks/171bad55-ed35-48e8-8f0f-2e743a322a26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.30997.29358.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6765eb8b8a4d48ee35fd88da
Tags:
vmdetect asyncrat autorun autoit
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6765eb84103c07c1637683f0/reports/342a31f9-2ab4-4af8-b357-f608090ba439/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b5ad542e-feaa-4623-8ef7-0f27e2d98203
Result
Threat name:
LummaC, Amadey, AsyncRAT, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1579159
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops large PE files
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579159 Sample: file.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 144 Found malware configuration 2->144 146 Malicious sample detected (through community Yara rule) 2->146 148 Antivirus detection for dropped file 2->148 150 21 other signatures 2->150 10 skotes.exe 4 76 2->10         started        15 file.exe 5 2->15         started        17 Intel_PTT_EK_Recertification.exe 2->17         started        process3 dnsIp4 128 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 10->128 130 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->130 132 2 other IPs or domains 10->132 100 C:\Users\user\AppData\...\36d93f3c0c.exe, PE32 10->100 dropped 102 C:\Users\user\AppData\...\2002c77d6d.exe, PE32 10->102 dropped 104 C:\Users\user\AppData\...\d44a5c682a.exe, PE32 10->104 dropped 110 32 other malicious files 10->110 dropped 184 Creates multiple autostart registry keys 10->184 186 Hides threads from debuggers 10->186 188 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->188 190 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->190 19 vQeyqr1.exe 14 10->19         started        24 950932ab59.exe 10->24         started        26 22b0b7688f.exe 10->26         started        30 4 other processes 10->30 106 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->106 dropped 108 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->108 dropped 192 Detected unpacking (changes PE section rights) 15->192 194 Tries to evade debugger and weak emulator (self modifying code) 15->194 196 Tries to detect virtualization through RDTSC time measurements 15->196 28 skotes.exe 15->28         started        198 Injects code into the Windows Explorer (explorer.exe) 17->198 200 Modifies the context of a thread in another process (thread injection) 17->200 file5 signatures6 process7 dnsIp8 112 208.95.112.1 TUT-ASUS United States 19->112 114 149.154.167.220 TELEGRAMRU United Kingdom 19->114 116 213.152.176.135 GLOBALLAYERNL Netherlands 19->116 88 C:\Users\user\AppData\Roaming\XClient.exe, PE32 19->88 dropped 158 Antivirus detection for dropped file 19->158 160 Protects its processes via BreakOnTermination flag 19->160 162 Machine Learning detection for dropped file 19->162 178 4 other signatures 19->178 32 powershell.exe 19->32         started        35 powershell.exe 19->35         started        118 104.21.21.99 CLOUDFLARENETUS United States 24->118 164 Multi AV Scanner detection for dropped file 24->164 166 Detected unpacking (changes PE section rights) 24->166 168 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->168 170 LummaC encrypted strings found 24->170 120 185.121.15.192 REDSERVICIOES Spain 26->120 124 2 other IPs or domains 26->124 90 C:\Users\user\AppData\...\service123.exe, PE32 26->90 dropped 92 C:\Users\user\...\UKzjyWlrjRLOjKNNlNHI.dll, PE32 26->92 dropped 180 3 other signatures 26->180 172 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 28->172 182 2 other signatures 28->182 122 45.200.149.15 Africa-on-Cloud-ASZA Seychelles 30->122 94 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 30->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 30->96 dropped 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->174 176 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 30->176 37 cmd.exe 30->37         started        39 cmd.exe 30->39         started        42 WerFault.exe 30->42         started        file9 signatures10 process11 dnsIp12 136 Uses ping.exe to check the status of other devices and networks 32->136 138 Loading BitLocker PowerShell Module 32->138 45 conhost.exe 32->45         started        47 conhost.exe 35->47         started        140 Uses cmd line tools excessively to alter registry or file data 37->140 49 in.exe 37->49         started        53 7z.exe 37->53         started        55 conhost.exe 37->55         started        63 9 other processes 37->63 98 C:\Users\user\AppData\Local\Temp\...\Dry.com, PE32 39->98 dropped 142 Drops PE files with a suspicious file extension 39->142 57 conhost.exe 39->57         started        59 tasklist.exe 39->59         started        61 findstr.exe 39->61         started        134 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 42->134 file13 signatures14 process15 file16 84 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 49->84 dropped 152 Suspicious powershell command line found 49->152 154 Uses cmd line tools excessively to alter registry or file data 49->154 156 Uses schtasks.exe or at.exe to add and modify task schedules 49->156 65 powershell.exe 49->65         started        67 attrib.exe 49->67         started        69 attrib.exe 49->69         started        71 schtasks.exe 49->71         started        86 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 53->86 dropped signatures17 process18 process19 73 PING.EXE 65->73         started        76 conhost.exe 65->76         started        78 conhost.exe 67->78         started        80 conhost.exe 69->80         started        82 conhost.exe 71->82         started        dnsIp20 126 127.0.0.1 unknown unknown 73->126
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb/
Threat name:
Win32.Trojan.CryptBot
Create hunting rule
Status:
Malicious
First seen:
2024-12-20 22:12:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6tgdt2d24jjvaezahdedgmargx7cd4xucn335mhjoqwyao3lx5q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:gurcu family:lumma family:vidar family:xmrig family:xworm botnet:9c9aa5 botnet:default credential_access discovery evasion execution miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/241220-13zczsvngt/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks BIOS information in registry
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Async RAT payload
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
AsyncRat
Asyncrat family
Detect Vidar Stealer
Detect Xworm Payload
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Xmrig family
Xworm
Xworm family
xmrig
Malware Config
C2 Extraction:
http://185.215.113.43
xclient.fahrerscheinonlineholen.de:2489
45.200.149.15:7000
https://api.telegram.org/bot8174428401:AAHxlGtOg4tsy0J0kYm7h8822BuHfnk8vKQ/sendMessage?chat_id=1434988227
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/717c0838-347f-40a4-b26e-dcad9ec8b765
Unpacked files
SH256 hash:
48eb65439a9336b64ecafc17f3978c7fe5bdc53b484de48fb861c127596315ed
MD5 hash:
ca487a4d3a325ae8f006b4189b4b105f
SHA1 hash:
679ee6dbe37d2666afdaa09cd6adfca8a75f7823
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/dbbc7ddb-f139-4b99-b9f4-168802b3ef9f/
SH256 hash:
a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb
MD5 hash:
c9624e4e0c6bbc83b57f844d1dc44102
SHA1 hash:
b0f8c247986305f8f1f83ea55bb04f6c748557ce
Link:
https://www.unpac.me/results/dbbc7ddb-f139-4b99-b9f4-168802b3ef9f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7a661cf43d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a7a661cf43d7129a809901c641998089aff10f97a09bbdf5874ba16c01db5dfb

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments