MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f
SHA3-384 hash: d6fd328b952597e848c401d625fbc284a1463192678902cb0784a0356ca426ee2260399d7bb233da04e9e4cca6164a5e
SHA1 hash: 87dc7bd254cac48669668a1833c10b8aab3775be
MD5 hash: 6232a1aa692fe2b9f3f8e67d35c7dab7
humanhash: zulu-asparagus-spring-july
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'903'616 bytes
First seen:2024-11-19 21:04:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:P2VKHlPtXQxOpYkv5bhxX84iAMEoatUvyuCy9CIwD:P2mtg4+kvBNKzatUquL9CV
TLSH T19C9533998F697A39C15E8EFC53D22E74CA958BD843260D787CC1E16F4D3E6011B4F42A
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
454
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-19 21:06:26 UTC
Tags:
amadey botnet stealer themida
Link:
https://app.any.run/tasks/3a59981c-e2d4-4a55-8503-dabd8b1185e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.22286.8680.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673cfdee7b9ab5fcc4db8ee2
Tags:
autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/673cfd7eef05ce04988cab2b/reports/aba65133-6431-4e89-88dd-a66bdfa7e823/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/769f4f6b-754d-426c-b56f-113fb9f9c813
Result
Threat name:
LummaC, Amadey, Credential Flusher, Cryp
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558866
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops large PE files
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558866 Sample: file.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 118 cook-rain.sbs 2->118 120 youtube.com 2->120 122 33 other IPs or domains 2->122 150 Suricata IDS alerts for network traffic 2->150 152 Found malware configuration 2->152 154 Antivirus detection for dropped file 2->154 156 14 other signatures 2->156 9 skotes.exe 7 37 2->9         started        14 file.exe 5 2->14         started        16 074873f122.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 138 185.215.113.43, 49838, 49858, 80 WHOLESALECONNECTIONSNL Portugal 9->138 140 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->140 142 3 other IPs or domains 9->142 98 C:\Users\user\AppData\...\47f677ba64.exe, PE32 9->98 dropped 100 C:\Users\user\AppData\...\65c2c3d4c3.exe, PE32 9->100 dropped 102 C:\Users\user\AppData\...\f72eb1bfa4.exe, PE32 9->102 dropped 108 10 other malicious files 9->108 dropped 184 Creates multiple autostart registry keys 9->184 186 Hides threads from debuggers 9->186 188 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->188 20 7afc94686a.exe 9->20         started        25 074873f122.exe 12 9->25         started        27 2a8ef8d829.exe 9->27         started        37 2 other processes 9->37 104 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->104 dropped 106 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->106 dropped 190 Detected unpacking (changes PE section rights) 14->190 192 Tries to evade debugger and weak emulator (self modifying code) 14->192 194 Tries to detect virtualization through RDTSC time measurements 14->194 29 skotes.exe 14->29         started        196 Query firmware table information (likely to detect VMs) 16->196 198 Tries to harvest and steal ftp login credentials 16->198 200 Tries to harvest and steal browser information (history, passwords, etc) 16->200 31 chrome.exe 16->31         started        202 Tries to steal Crypto Currency Wallets 18->202 204 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->204 33 firefox.exe 18->33         started        35 taskkill.exe 18->35         started        39 5 other processes 18->39 file6 signatures7 process8 dnsIp9 124 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 20->124 80 C:\Users\user\DocumentsJDGCFBAFBF.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->82 dropped 84 C:\Users\user\AppData\Local\...\random[2].exe, PE32 20->84 dropped 94 11 other files (7 malicious) 20->94 dropped 158 Antivirus detection for dropped file 20->158 160 Multi AV Scanner detection for dropped file 20->160 162 Attempt to bypass Chrome Application-Bound Encryption 20->162 174 7 other signatures 20->174 41 cmd.exe 20->41         started        43 chrome.exe 20->43         started        126 cook-rain.sbs 172.67.155.248 CLOUDFLARENETUS United States 25->126 164 Detected unpacking (changes PE section rights) 25->164 166 Query firmware table information (likely to detect VMs) 25->166 176 3 other signatures 25->176 46 chrome.exe 25->46         started        168 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->168 178 4 other signatures 27->178 180 3 other signatures 29->180 48 chrome.exe 31->48         started        128 youtube.com 142.251.32.110 GOOGLEUS United States 33->128 130 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 33->130 136 9 other IPs or domains 33->136 86 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 33->86 dropped 88 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 33->88 dropped 96 2 other malicious files 33->96 dropped 54 3 other processes 33->54 170 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->170 50 conhost.exe 35->50         started        132 fvtekk5pn.top 34.116.198.130 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 37->132 134 home.fvtekk5pn.top 37->134 90 C:\Users\user\...\unmYCIPOHmXNjqOesrEy.dll, PE32 37->90 dropped 92 C:\Users\user\AppData\...\service123.exe, PE32 37->92 dropped 172 Binary is likely a compiled AutoIt script file 37->172 182 2 other signatures 37->182 52 taskkill.exe 37->52         started        56 6 other processes 37->56 58 4 other processes 39->58 file10 signatures11 process12 dnsIp13 60 DocumentsJDGCFBAFBF.exe 41->60         started        63 conhost.exe 41->63         started        144 192.168.2.4, 443, 49730, 49736 unknown unknown 43->144 146 239.255.255.250 unknown Reserved 43->146 65 chrome.exe 43->65         started        148 192.168.2.16 unknown unknown 46->148 68 chrome.exe 46->68         started        70 chrome.exe 46->70         started        72 conhost.exe 52->72         started        74 conhost.exe 56->74         started        76 conhost.exe 56->76         started        78 3 other processes 56->78 process14 dnsIp15 206 Multi AV Scanner detection for dropped file 60->206 208 Tries to evade debugger and weak emulator (self modifying code) 60->208 210 Hides threads from debuggers 60->210 212 2 other signatures 60->212 110 www.google.com 142.251.35.164 GOOGLEUS United States 65->110 112 s-part-0010.t-0009.t-msedge.net 13.107.246.38 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 68->112 114 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 68->114 116 9 other IPs or domains 68->116 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 21:05:11 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7hvbabzewv7ao6nrgnye5c6i4xjtfr3ftmamoveije323dvhfpq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:stealc botnet:9c9aa5 botnet:mars credential_access discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/241119-zw52hsxnbl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
CryptBot
Cryptbot family
Detects CryptBot payload
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fc6dc894-291b-46fe-9bc4-b334b2a74fd5
Unpacked files
SH256 hash:
fea041a59f0fd5bb58841355c5f25b7f1e38d28cbb0be357305e5dde5fba5348
MD5 hash:
e28eed72f560a3f5e5a09e9e37d8728f
SHA1 hash:
e4cb4ca649618e4414c857c72ec903a758777eb3
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/ba8e3017-fd4c-4fac-acd3-ab776b7c9940/
SH256 hash:
a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f
MD5 hash:
6232a1aa692fe2b9f3f8e67d35c7dab7
SHA1 hash:
87dc7bd254cac48669668a1833c10b8aab3775be
Link:
https://www.unpac.me/results/ba8e3017-fd4c-4fac-acd3-ab776b7c9940/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7cf50803925/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/
  
URLhaus
https://urlhaus.abuse.ch/url/3273372/
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments