MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a
SHA3-384 hash: 12add38f7f1abed76b1e69493786083f39819c4c0136b4eb9eb4f1d09efe8a757661c834b7976a4eaa6445a6cb65e895
SHA1 hash: 3fe0a9b75b2f4dd939df21f9086175d9127191b2
MD5 hash: 3172370112b0a5d7b8c1df8813c5b23e
humanhash: april-sweet-beryllium-william
File name:3172370112b0a5d7b8c1df8813c5b23e.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'158'144 bytes
First seen:2021-08-24 10:07:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:Iqtwk/QybGD8xuXcG9Rc0dH9YX8RbVTttj3VHmq199ZM:cuQzDOuXcGLtdGq9tmC76
Threatray 1'879 similar samples on MalwareBazaar
TLSH T16A3533255CEFCCCFF9EB253685B4E246333FD48481B4EBD74A2ED26A019DBA84672114
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://heso-vpn.ug/k8FppT/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://heso-vpn.ug/k8FppT/index.php https://threatfox.abuse.ch/ioc/193627/

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3172370112b0a5d7b8c1df8813c5b23e.exe
Verdict:
Malicious activity
Analysis date:
2021-08-24 10:08:17 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/8daabb65-4df0-4ec2-9e9f-629baee3fbf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181814/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Malware.Agen-9845429-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Sending a UDP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
Deleting a recently created file
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Running batch commands
Launching a process
Sending an HTTP POST request
Sending an HTTP GET request
Searching for analyzing tools
Searching for the window
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/982f4b62-e54d-47b6-92b5-4933828b3bc1
Result
Threat name:
Amadey Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838131
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470560 Sample: WiqtUEK1DH.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Sigma detected: Xmrig 2->116 118 Antivirus detection for dropped file 2->118 120 10 other signatures 2->120 10 WiqtUEK1DH.exe 15 36 2->10         started        15 build.exe 2->15         started        17 build.exe 2->17         started        19 rnyuf.exe 2->19         started        process3 dnsIp4 94 185.206.215.216, 49683, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 10->94 96 cdn.discordapp.com 162.159.129.233, 443, 49688 CLOUDFLARENETUS United States 10->96 98 api.ip.sb 10->98 74 C:\Users\user\AppData\Local\Temp\build.exe, PE32 10->74 dropped 76 C:\Users\user\AppData\...\WiqtUEK1DH.exe.log, ASCII 10->76 dropped 148 Detected unpacking (changes PE section rights) 10->148 150 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->150 152 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->152 156 3 other signatures 10->156 21 build.exe 4 10->21         started        25 conhost.exe 10->25         started        100 iplogger.org 15->100 102 bitbucket.org 15->102 78 C:\ProgramData\Systemd\old.exe (copy), PE32+ 15->78 dropped 80 C:\ProgramData\Systemd\Database.exe, PE32+ 15->80 dropped 82 C:\ProgramData\Microsoft Network\System.exe, PE32 15->82 dropped 84 C:\ProgramData\Data\Database.exe, PE32+ 15->84 dropped 154 Hides threads from debuggers 15->154 104 iplogger.org 17->104 106 bitbucket.org 17->106 27 cmd.exe 17->27         started        29 cmd.exe 17->29         started        31 conhost.exe 17->31         started        file5 signatures6 process7 file8 72 C:\Users\user\AppData\Local\...\rnyuf.exe, PE32 21->72 dropped 140 Antivirus detection for dropped file 21->140 142 Multi AV Scanner detection for dropped file 21->142 144 Detected unpacking (changes PE section rights) 21->144 146 3 other signatures 21->146 33 rnyuf.exe 1 18 21->33         started        38 conhost.exe 27->38         started        40 taskkill.exe 27->40         started        42 conhost.exe 29->42         started        signatures9 process10 dnsIp11 88 162.159.135.233, 443, 49692, 49693 CLOUDFLARENETUS United States 33->88 90 heso-vpn.ug 193.164.17.17, 49690, 49691, 49694 AT-ASRU Russian Federation 33->90 92 cdn.discordapp.com 33->92 68 C:\Users\user\AppData\Local\...\build.exe, PE32 33->68 dropped 70 C:\Users\user\AppData\Local\...\build[1].exe, PE32 33->70 dropped 122 Antivirus detection for dropped file 33->122 124 Multi AV Scanner detection for dropped file 33->124 126 Detected unpacking (changes PE section rights) 33->126 128 4 other signatures 33->128 44 build.exe 33->44         started        49 cmd.exe 1 33->49         started        51 schtasks.exe 1 33->51         started        file12 signatures13 process14 dnsIp15 108 iplogger.org 88.99.66.31, 443, 49713, 49715 HETZNER-ASDE Germany 44->108 110 bitbucket.org 104.192.141.1, 443, 49718 AMAZON-02US United States 44->110 112 3 other IPs or domains 44->112 86 C:\ProgramData\Data\old.exe (copy), PE32+ 44->86 dropped 158 Antivirus detection for dropped file 44->158 160 Detected unpacking (changes PE section rights) 44->160 162 May check the online IP address of the machine 44->162 164 3 other signatures 44->164 53 Database.exe 44->53         started        56 cmd.exe 44->56         started        58 conhost.exe 44->58         started        60 reg.exe 1 49->60         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        file16 signatures17 process18 signatures19 130 Query firmware table information (likely to detect VMs) 53->130 132 Tries to detect sandboxes and other dynamic analysis tools (window names) 53->132 134 Hides threads from debuggers 53->134 136 Tries to detect sandboxes / dynamic malware analysis system (registry check) 53->136 66 conhost.exe 56->66         started        138 Creates an undocumented autostart registry key 60->138 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 10:08:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmufdoozmbs3aguwymyfvc56y52sfol2nr2rvavdj5d7ixzqv5va._file
Verdict:
malicious
Similar samples:
075811c1b041821aa0902e5035ab2177e6c97c451896ee954d98486d049face6
Amadey
108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4
Amadey
12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba
Amadey
196e6323c5ffd2105f1159a77c1b1cb583deb9d27875232f5fae5635a39a637d
Amadey
41c2bbd61ad11d1fd1e1c8771edd92d1ab5df475c65764c2c5153f6afef84894
Amadey
583c189b3d8bc98c7a9e22ba2ad1fce8210222fa636287f8fa3fd7b291cd778c
Amadey
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
Amadey
c74725fe1e3f3681bc7033ce7694b98075d395c06ba22989216d4288db559e85
Amadey
f1df708a846482e0d856754d5178d80109b068dc589494e6e831e2cfa2148b30
Amadey
ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef
Amadey
+ 1'869 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210824-xct43y88wx/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
suricata: ET MALWARE Amadey CnC Check-In
Unpacked files
SH256 hash:
ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a
MD5 hash:
3172370112b0a5d7b8c1df8813c5b23e
SHA1 hash:
3fe0a9b75b2f4dd939df21f9086175d9127191b2
Link:
https://www.unpac.me/results/a4ff6f60-c3dd-49cc-a22d-b309c0a9e044/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ab2851b9d960/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.62
Link:
https://yomi.yoroi.company/submissions/ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ab2851b9d96065b01a96c3305a8bbec77522b97a6c751a82a34f47f45f30af6a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549207/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181814/

Comments