MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments 1

SHA256 hash:	a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a
SHA3-384 hash:	abbb94cf3c932c9a10d11e3599d570c768cec53721d262c2afaaf28a00f9b4b8ec8de1214173a01b3f94bbac5485b55c
SHA1 hash:	cee7d814eff1f4239b54389afad56479405aa81f
MD5 hash:	858c8921fd045dd5a185cd2135d30ee2
humanhash:	beryllium-twelve-network-double
File name:	858c8921fd045dd5a185cd2135d30ee2
Download:	download sample
Signature	Amadey Create hunting rule
File size:	112'128 bytes
First seen:	2024-02-01 05:37:19 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	61d6334c6ae4948c906d9fa7fdf019fa (13 x Amadey)
ssdeep	3072:G4uSD+ZwruS0bGYuZRtasSVh/QbIegRQod4l:VuTiabruZR8J1lD4l
TLSH	T1D8B35C217591C472D6AD0A791874ABB1CB3EB910DF745DEB37940A7AAE302C29F30D36
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 Amadey dll exe

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Detection:

Amadey

Link:

https://www.capesandbox.com/analysis/473903/

Detection(s):

Win.Malware.Zusy-10015683-0

Win.Malware.Zusy-10017303-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker

Link:

https://www.filescan.io/uploads/65bb2e3abc91f83c80750aaa/reports/193ce094-0a62-40e2-8601-3f1464b501bb/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e87476fc-90bb-4f91-9d12-f0f66e2af9d2

Result

Threat name:

Amadey

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1384526

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2024-02-01 05:38:05 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vc4mll22qhtvhebzxtpgzaccq4lxes72qs4pbanpjki7kmavbona._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240201-gbp6fsedcm/

Behaviour

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a

MD5 hash:

858c8921fd045dd5a185cd2135d30ee2

SHA1 hash:

cee7d814eff1f4239b54389afad56479405aa81f

Link:

https://www.unpac.me/results/305b1c09-ac98-4c8e-bb9a-8b3eca54d510/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Amadey Create hunting rule
Author:	kevoreilly
Description:	Amadey Payload

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

DLL dll a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2754586/

Cape

https://www.capesandbox.com/analysis/473903/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-02-01 05:37:20 UTC

url : hxxp://51.81.69.127/jPdsj3d4M/Plugins/clip64.dll