MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac6db0c7303aa294dc3f00fe7b332c460a167b3e23befe0e3487528fca5c833e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	ac6db0c7303aa294dc3f00fe7b332c460a167b3e23befe0e3487528fca5c833e
SHA3-384 hash:	69ff4c188303b43d72a9fffcba8ea0688dcbd99c3bdc351a6f96207f9d94c1d72b79074ece3479d3b2f9ba6101f8e0e7
SHA1 hash:	6acd219bfdff443b5ad9bc347b321121baa0560d
MD5 hash:	c282ada6f2f1865b9f193604a77be50c
humanhash:	mike-enemy-don-finch
File name:	c282ada6f2f1865b9f193604a77be50c.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	317'440 bytes
First seen:	2021-12-23 06:51:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d712e1272d34b19a3fc721efd405a672 (3 x Amadey, 2 x RedLineStealer)
ssdeep	1536:2cd/dDLK0yP2dCEEzwadfI0hExN0U5CC8+Fzhe4jqnFxBF4lglnDKL:rLK8dmcwnExNv5CFuzhdjqFJbB
Threatray	10'395 similar samples on MalwareBazaar
TLSH	T15F64BF5D7AF0C437C5D54AB04935C6A1AE7FFC426A714D8B7688379F2EB22C19A36302
File icon (PE):
dhash icon	480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
154.53.32.211:53037

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
154.53.32.211:53037	https://threatfox.abuse.ch/ioc/282341/

Intelligence

File Origin

# of uploads :

# of downloads :

434

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c282ada6f2f1865b9f193604a77be50c.exe

Verdict:

Suspicious activity

Analysis date:

2021-12-23 06:55:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4f5f6f9e-af5e-48ec-8366-fdfe70fdc12a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/215884/

Detection(s):

Win.Packed.Generic-9917126-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Searching for synchronization primitives

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending an HTTP POST request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2976/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware lockbit

Link:

https://www.filescan.io/uploads/61c41c954ab5c44cbf4db37e/reports/7ff89a1e-be90-47bd-84e5-c8813f9ec947/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/622c74f9-92cf-4af8-8789-63d09f0ac68f

Result

Threat name:

Djvu RedLine SmokeLoader

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/911863

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Djvu Ransomware

Yara detected RedLine Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac6db0c7303aa294dc3f00fe7b332c460a167b3e23befe0e3487528fca5c833e/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2021-12-23 05:09:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vrw3brzqhkrjjxb7ad7hwmzmiyfbm6z6eo7p4druq5ji7ss4qm7a._file

Verdict:

malicious

Amadey

6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

Amadey

8b9e05937557c312981409e1107aa75b580f170138d0a7abf3cfaa93dd9113aa

Amadey

be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881

Amadey

c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94

Amadey

d2b72372d1f6ff858237a0804714acfb2afa47ad2c2530a749ba738d2e0cf416

Amadey

ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0

Amadey

fbb99570b341367a86c2c23b56862bfb3d3ea91c06e7c15750f7d36bf82f494b

Amadey

+ 10'385 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:arkei family:redline family:smokeloader family:tofsee family:xmrig botnet:1 backdoor collection discovery evasion infostealer miner persistence spyware stealer trojan

Link:

https://tria.ge/reports/211223-hm3rcshbf5/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Arkei Stealer Payload

XMRig Miner Payload

Arkei

RedLine

RedLine Payload

SmokeLoader

Tofsee

Windows security bypass

xmrig

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
86.107.197.138:38133
mubrikych.top
oxxyfix.xyz