MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a
SHA3-384 hash: 80825fa8cb3d369b36439241fc0cb5b41d6395988736b9f594b94d49a5032727ce5ac5876601f34b3e4193c314e74a63
SHA1 hash: 62cd61a0004ef666d0d6427c42c8a6ec7b30617c
MD5 hash: 3197aa29fd7d023f4483200e06a95d7a
humanhash: quiet-louisiana-maryland-floor
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:3'276'800 bytes
First seen:2024-12-12 22:48:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:of5+2z7fYXSXFA0R8kTiglrFF852feG2ezYVW5es:o5fYXSXm0RbTiglv852XZzeW5e
Threatray 11 similar samples on MalwareBazaar
TLSH T15DE55BD1740572CBC48B57BCBD1BCD896B1D03BD072149D7986DB47AAEA3CC216BAC28
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
502
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-12 22:19:27 UTC
Tags:
stealer stealc loader themida amadey botnet arch-exec telegram gcleaner vidar
Link:
https://app.any.run/tasks/a8e3291e-9a00-4a88-8164-b0d7bdee121c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.27357.768.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675b6a68259e5b60544c851a
Tags:
vmdetect autorun autoit lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/675b685fd0bf6a811f2d6549/reports/4eb045b0-d6b1-437f-a0ba-39f1256abfc3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8645656e-0c2a-40e8-8c4e-ed2fc00479bd
Result
Threat name:
Amadey, LummaC Stealer, Stealc, Vidar, X
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1574118
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574118 Sample: file.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 114 grahm.xyz 2->114 116 woo097878781.win 2->116 118 39 other IPs or domains 2->118 156 Suricata IDS alerts for network traffic 2->156 158 Found malware configuration 2->158 160 Antivirus detection for dropped file 2->160 164 23 other signatures 2->164 10 skotes.exe 3 40 2->10         started        15 file.exe 5 2->15         started        17 wscript.exe 2->17         started        19 5 other processes 2->19 signatures3 162 Performs DNS queries to domains with low reputation 114->162 process4 dnsIp5 130 185.215.113.43, 49758, 49764, 49801 WHOLESALECONNECTIONSNL Portugal 10->130 132 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->132 134 31.41.244.11, 49770, 49802, 80 AEROEXPRESS-ASRU Russian Federation 10->134 102 C:\Users\user\AppData\...\2560e27d22.exe, PE32 10->102 dropped 104 C:\Users\user\AppData\...\068b8fe00c.exe, PE32 10->104 dropped 106 C:\Users\user\AppData\...\97cc3162de.exe, PE32 10->106 dropped 112 13 other malicious files 10->112 dropped 216 Creates multiple autostart registry keys 10->216 218 Hides threads from debuggers 10->218 220 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->220 21 CuKxXX0.exe 5 10->21         started        25 068b8fe00c.exe 10->25         started        27 26e4362d6d.exe 10->27         started        34 5 other processes 10->34 108 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->108 dropped 110 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->110 dropped 222 Detected unpacking (changes PE section rights) 15->222 224 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->224 226 Tries to evade debugger and weak emulator (self modifying code) 15->226 228 Tries to detect virtualization through RDTSC time measurements 15->228 30 skotes.exe 15->30         started        230 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->230 232 Suspicious execution chain found 17->232 32 WindosCPUsystem.exe 17->32         started        136 127.0.0.1 unknown unknown 19->136 234 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->234 file6 signatures7 process8 dnsIp9 86 C:\Users\user\AppData\...\WindosCPUsystem.exe, PE32+ 21->86 dropped 88 C:\Users\user\AppData\...\WindosCPUsystem.vbs, ASCII 21->88 dropped 182 Suspicious powershell command line found 21->182 196 3 other signatures 21->196 36 MSBuild.exe 21->36         started        40 powershell.exe 23 21->40         started        42 cmd.exe 1 21->42         started        51 2 other processes 21->51 184 Multi AV Scanner detection for dropped file 25->184 186 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->186 188 Machine Learning detection for dropped file 25->188 198 5 other signatures 25->198 138 80.82.65.70 INT-NETWORKSC Netherlands 27->138 90 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 27->90 dropped 92 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 27->92 dropped 94 C:\Users\user\AppData\Local\...\soft[1], PE32 27->94 dropped 96 C:\Users\user\AppData\Local\...\dll[1], PE32 27->96 dropped 190 Antivirus detection for dropped file 27->190 200 2 other signatures 27->200 192 Detected unpacking (changes PE section rights) 30->192 202 2 other signatures 30->202 204 3 other signatures 32->204 44 powershell.exe 32->44         started        53 3 other processes 32->53 140 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 34->140 142 grahm.xyz 116.203.10.31 HETZNER-ASDE Germany 34->142 144 t.me 149.154.167.99 TELEGRAMRU United Kingdom 34->144 98 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 34->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 34->100 dropped 194 Binary is likely a compiled AutoIt script file 34->194 206 2 other signatures 34->206 46 623d0a60b5.exe 34->46         started        49 cmd.exe 34->49         started        55 5 other processes 34->55 file10 signatures11 process12 dnsIp13 84 C:\Users\user\AppData\...\orupcopicsyv.sys, PE32+ 36->84 dropped 166 Injects code into the Windows Explorer (explorer.exe) 36->166 168 Modifies the context of a thread in another process (thread injection) 36->168 170 Sample is not signed and drops a device driver 36->170 57 explorer.exe 36->57         started        172 Loading BitLocker PowerShell Module 40->172 63 2 other processes 40->63 174 Uses ipconfig to lookup or modify the Windows network settings 42->174 65 2 other processes 42->65 67 2 other processes 44->67 154 drive-connect.cyou 104.21.79.7 CLOUDFLARENETUS United States 46->154 176 Found many strings related to Crypto-Wallets (likely being stolen) 46->176 178 Tries to harvest and steal browser information (history, passwords, etc) 46->178 180 Tries to steal Crypto Currency Wallets 46->180 69 4 other processes 49->69 61 chrome.exe 51->61         started        71 3 other processes 51->71 73 4 other processes 53->73 75 3 other processes 55->75 file14 signatures15 process16 dnsIp17 120 woo097878781.win 154.216.20.243 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 57->120 122 5.188.137.200 SELECTEL-MSKRU Russian Federation 57->122 124 185.157.162.216 OBE-EUROPEObenetworkEuropeSE Sweden 57->124 208 System process connects to network (likely due to code injection or exploit) 57->208 210 Query firmware table information (likely to detect VMs) 57->210 212 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 57->212 126 192.168.2.4, 49723, 49724, 49758 unknown unknown 61->126 128 239.255.255.250 unknown Reserved 61->128 77 chrome.exe 61->77         started        80 chrome.exe 61->80         started        214 Suspicious powershell command line found 65->214 82 chrome.exe 67->82         started        signatures18 process19 dnsIp20 146 google.com 77->146 148 www.google.com 142.250.181.132 GOOGLEUS United States 77->148 152 7 other IPs or domains 77->152 150 google.com 82->150
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-12-12 22:49:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vr7kwjtct2ejyqucspzqhnbiijh7zsxfmwddntffiujhkp5cpeva._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
shellcode_loader_002
Create hunting rule
Similar samples:
01be856a9d037fdab8d3ce0046daae65fecaa637af55bf6333518a6d9459d600
Amadey
4f30e0285d3aac1a24b85e13a7067a801be9cec1aaf14671bdc96778f70d2aa9
Amadey
5fa3dea08fd0d0f579b15febf23f25c63e5b40d39a1ee5d06e0efb81cf0519ca
Amadey
68fefaa70bd63ff3251ce5e536b278e23b29141bb491a43fc4a85de7fe74dfce
Amadey
888781cacec83eae2a8ea38778dc47d6787ef7bf54f6e05122b9c75a9349c84b
Amadey
97efe91fe5eff3dcdcb055f037f1df01c1409e6bd38a8f07170ea53a0ff265ef
Amadey
9ad982faa8074948b29914e4eda3db1ce14b6e0ee4823d627ab0b6c54f3a5a7b
Amadey
a67a09657ad86da7453e95dd781bed2c1af9fb09ac250ac51602d56eed14621c
Amadey
bcfbab649e890b3c53ae492fbb7d78912e6b40c5f9e447209bf434b1c3dedfd7
Amadey
d47a220f4dac6bc8a1f0e7afb71f1201838cdf132fc79d04b1ae63122b42d27c
Amadey
error
Amadey
+ 1 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:lumma family:stealc botnet:9c9aa5 botnet:stok credential_access discovery evasion execution loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/241212-2rnb1szmft/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Gathers network information
Gathers system information
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Looks up external IP address via web service
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.206
https://drive-connect.cyou/api
https://covery-mover.biz/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/973fba4e-9301-4a99-98a4-328ec400cf55
Unpacked files
SH256 hash:
6060ec82a658c6480c10e4fe7c01b099b01eb2670659e1df364b997825ce17ac
MD5 hash:
62423a51a2a1f2466090561a788943bf
SHA1 hash:
a0f986822d8c449b6591a605634a68f11b48c767
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/993d03b3-eaae-4a52-869d-82a9ac12983c/
SH256 hash:
ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a
MD5 hash:
3197aa29fd7d023f4483200e06a95d7a
SHA1 hash:
62cd61a0004ef666d0d6427c42c8a6ec7b30617c
Link:
https://www.unpac.me/results/993d03b3-eaae-4a52-869d-82a9ac12983c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279844/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments