MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd
SHA3-384 hash: ff3e8743681dfd8febf549b72fb74728593e6bd543a895c79cee8ba0f9a71f6c74762c5d5a5a4f9e5b5f56ad3bc3b144
SHA1 hash: 669d102faef43081596fa4c2a030032b67919520
MD5 hash: 631b5e58e33fbc4070a8fd8f7667d9a9
humanhash: shade-oklahoma-moon-red
File name:qqeng
Download: download sample
Signature Amadey
Create hunting rule
File size:143'308 bytes
First seen:2024-03-17 20:02:13 UTC
Last seen:2024-03-17 21:17:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba072a972fe6c47c8cf7a0347bb0af7a (3 x Rhadamanthys, 1 x GuLoader, 1 x RemcosRAT)
ssdeep 768:p+/unhi1zOzZ+/unhi1zOzDKe+3/xBcbK8ahR6/s6921uC9hPiqobwTqghycHAha:pti5OzZti5OzOti5OzPti5Oz
Threatray 1 similar samples on MalwareBazaar
TLSH T172E3660EAE6E5A92D81260B02ED55B094A176EF5FE4F0EB6611FF486C030CD60DD9BCD
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e9d5f0d5ddd5dde9 (3 x ParallaxRAT, 3 x Rhadamanthys, 1 x CoinMiner)
Reporter rmceoin
Tags:exe


Avatar
rmceoin
147.45.79.82/Downloads/qqeng.pdf.lnk
lastmodified: Sun, 17 Mar 2024 01:33:55 GMT
LNK -> mshta http://92.246.138.48/qqeng -> https://cdnproviderhubworldleads.cfd/update.exe

distraction: https://sgmindia.biz/temp/students.pdf

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd.exe
Verdict:
Malicious activity
Analysis date:
2024-03-17 20:03:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42cd04c4-8e87-4798-b807-8e6abbf6321e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Strictor.288077.8095.6960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a window
Searching for the window
Launching a service
Сreating synchronization primitives
Searching for synchronization primitives
Modifying a system executable file
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin overlay shell32
Link:
https://www.filescan.io/uploads/65f74c77757c624818b14106/reports/0bfc669d-7b38-49f1-87e2-dbf8617eba6a/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ad359ab7-c1f2-4ccd-b203-111e0d7edcdd
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1410454
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1410454 Sample: qqeng.exe Startdate: 17/03/2024 Architecture: WINDOWS Score: 48 9 Multi AV Scanner detection for submitted file 2->9 5 Calculator.exe 2 2->5         started        7 qqeng.exe 12 2->7         started        process3
Score:
44%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2024-03-17 20:03:04 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7sf4qg2swuxpandotmovjxvsqkuk64jqakavl7y2este6xg27gq._file
Verdict:
malicious
Similar samples:
6ed0878faf9717214c4f8b61e3d89016bb9d84efb7e88da9a5863dd2a78191e9
Amadey
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240317-ysnsdsfc71/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd
MD5 hash:
631b5e58e33fbc4070a8fd8f7667d9a9
SHA1 hash:
669d102faef43081596fa4c2a030032b67919520
Link:
https://www.unpac.me/results/9923f265-b73e-4f9a-9aac-fac8bbdf8546/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Amadey

Shortcut (lnk) lnk 9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b

Amadey

Executable exe afe45e40da95a97781a374d8eaa6f59415457b8980140aaff8d125327ae6d7cd

(this sample)

Amadey

Executable exe d88da24c018b0d0b71a2b29ab1e5684785726396666599e7c5335507237577fc

  
Dropping
SHA256 d88da24c018b0d0b71a2b29ab1e5684785726396666599e7c5335507237577fc
  
Dropping
MD5 3be93b7272a95d1e804c84c4db9cdacf
  
Dropped by
SHA256 9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b
  
Dropped by
MD5 285e3fe042f687b463de137779ecb33d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
api-ms-win-core-processthreads-l1-1-0.dll::GetStartupInfoW

Comments