MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad4c4a0f8c9bd64552f8ae0c4b890cfaddea2370b40d47e092f16f9322148006. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad4c4a0f8c9bd64552f8ae0c4b890cfaddea2370b40d47e092f16f9322148006
SHA3-384 hash: 94ac8482f7898d9dc71a4a5c1a2bcca272249a29d06254a8bfbe2f32b743cd58f8044e8da1b9644ddc60ef483e57e614
SHA1 hash: 0943ca90df9b9d22c66c5a1db619fb94aacf7d3f
MD5 hash: 2d0e3253d3974c3ae6811b71f13ddc60
humanhash: cardinal-eighteen-lion-dakota
File name:SecuriteInfo.com.Mal.EncPk-APV.1159.29102
Download: download sample
Signature Amadey
Create hunting rule
File size:1'302'080 bytes
First seen:2020-07-18 11:53:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e4f14125466f692963bec87bd1b404f (1 x RaccoonStealer, 1 x Amadey)
ssdeep 6144:h6n+MnYT/nLnzN5w0qzfn0nOwXnxnxnxZLnrn7nxT/nhnvnhlnpnrnpjn/nvnxns:gF
Threatray 1'273 similar samples on MalwareBazaar
TLSH 5C553509B8C04F9EE6D6487639A5D7241D9EED0A4653F00F47E4F6E1B3B3BF16A80285
Reporter SecuriteInfoCom
Tags:Amadey

Intelligence

File Origin
# of uploads :
1
# of downloads :
670
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27700/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APV.1159.29102.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388642
Signature
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246494 Sample: SecuriteInfo.com.Mal.EncPk-... Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 7 other signatures 2->71 8 SecuriteInfo.com.Mal.EncPk-APV.1159.exe 4 2->8         started        12 bdif.exe 2->12         started        process3 file4 41 C:\ProgramData\1321ba6d1f\bdif.exe, PE32 8->41 dropped 87 Detected unpacking (changes PE section rights) 8->87 89 Detected unpacking (overwrites its own PE header) 8->89 91 Creates files in alternative data streams (ADS) 8->91 14 bdif.exe 20 8->14         started        signatures5 process6 dnsIp7 53 217.8.117.52, 49732, 49733, 49734 CREXFEXPEX-RUSSIARU Russian Federation 14->53 55 stationery.best 104.27.133.53, 49739, 80 CLOUDFLARENETUS United States 14->55 43 C:\Users\user\AppData\Local\Temp\scr.dll, PE32 14->43 dropped 45 C:\Users\user\AppData\Local\Temp\cred.dll, PE32 14->45 dropped 47 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 14->47 dropped 49 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 14->49 dropped 57 Multi AV Scanner detection for dropped file 14->57 59 Detected unpacking (changes PE section rights) 14->59 61 Detected unpacking (overwrites its own PE header) 14->61 63 2 other signatures 14->63 19 rundll32.exe 14->19         started        23 rundll32.exe 1 14->23         started        25 reg.exe 1 14->25         started        27 3 other processes 14->27 file8 signatures9 process10 dnsIp11 51 192.168.2.5, 443, 49704, 49710 unknown unknown 19->51 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->73 75 Tries to steal Instant Messenger accounts or passwords 19->75 77 Tries to steal Mail credentials (via file access) 19->77 79 Tries to harvest and steal ftp login credentials 19->79 81 System process connects to network (likely due to code injection or exploit) 23->81 29 WerFault.exe 27 10 23->29         started        83 Creates an undocumented autostart registry key 25->83 31 conhost.exe 25->31         started        85 Creates multiple autostart registry keys 27->85 33 conhost.exe 27->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        39 schtasks.exe 1 27->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad4c4a0f8c9bd64552f8ae0c4b890cfaddea2370b40d47e092f16f9322148006/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 22:28:56 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvgeud4mtplekuxyvygexcim7lo6ui3qwqgupyes6fxzgiquqada._file
Verdict:
malicious
Similar samples:
1a3a564f2175feba8a40232a1c31929c8545f83628c5a4142619b96d97863490
Amadey
39d56c869cad92d68f32de4587211860f3a5c03079340351a80f2bfbee3dd547
Amadey
422046dea0f6a4760bef5ec950587e14932fd938a6dea7e79d7788bcb28fbaca
Amadey
4487df47e3d0f8ea77106e4eec691b51f1b064394b504ad69b4419d3466f3940
Amadey
6307464741aecc02763e8a62d6af6e60b1a1a2ebba726e6044946dc5b5cf800d
Amadey
64ee5cef4381fc376f17c0f7ca02678be1a879bf946e65c9665162734e77c466
Amadey
86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b
Amadey
a4b0ae97129f396b3227af84b8a8de422a21332358ae1915340de75ca6ab80ce
Amadey
b98d1818806aad22980ec5e078adadff5ffa23d2ca2621ac5b603859a947dc5c
Amadey
bd05c3d9547104bd7bb5ef82fad00cf1d990fc31e07580314c9def2eaec2b16b
Amadey
+ 1'263 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200718-9akwrb7qka/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Executes dropped EXE
Blacklisted process makes network request
Blacklisted process makes network request
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad4c4a0f8c9bd64552f8ae0c4b890cfaddea2370b40d47e092f16f9322148006

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ad4c4a0f8c9bd64552f8ae0c4b890cfaddea2370b40d47e092f16f9322148006

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/414731/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27700/

Comments