MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a
SHA3-384 hash: 3308f820e2df8ed7e2ba44829c116f7e217c7f96f41f4ee12c38a56d658cbede3d7832ac66d88b4d9ec3b6926b3452ae
SHA1 hash: 533e7a9997de8e5fed702e623dc5d0c41df2d461
MD5 hash: b7b3d9c39854372b2b4eca4213bab256
humanhash: cold-happy-ten-william
File name:b7b3d9c39854372b2b4eca4213bab256.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:5'432'296 bytes
First seen:2023-02-06 13:35:42 UTC
Last seen:2023-02-06 16:40:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7c88a9f12777d4c1f156ccc8f276fa1 (3 x Arechclient2, 2 x RaccoonStealer, 2 x Amadey)
ssdeep 98304:Z6F6wSNExkQZSfmaoJhLgV+YR4mGurdGn0fdY6ka4uJ5eMFMnzvaJxxBANw:Z6KI5Z5cR4uE0lR4+55FMzvgDmw
Threatray 203 similar samples on MalwareBazaar
TLSH T1DA4622622355C248E4E18875963BADF037F61E6E4F41F83851B7FBC624F1CA1EAE6502
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70f0c8b2d0e88c90 (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe signed

Code Signing Certificate

Organisation:Unity Stationers Company
Issuer:Unity Stationers Company
Algorithm:sha1WithRSA
Valid from:2018-12-31T21:00:00Z
Valid to:2098-12-31T21:00:00Z
Serial number: -6597f6689fec617fb389ba8a127e7824
Thumbprint Algorithm:SHA256
Thumbprint: 188a60c4924e678998559aebecf3e9ce6ca35c6275cbb28418278d538248812d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Amadey C2:
http://5.75.139.35/so57Nst/index.php

Intelligence

File Origin
# of uploads :
3
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b7b3d9c39854372b2b4eca4213bab256.exe
Verdict:
No threats detected
Analysis date:
2023-02-06 13:36:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/abb33ca0-8b97-4b49-a13f-6f2acbc0f11d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360879/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65359575.2091.25076.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65778/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed redline virus
Link:
https://www.filescan.io/uploads/63e1024589bd67c10fdcc631/reports/658ba2a8-fe4e-441f-84ba-440cd5173b8a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8f426782-7d40-4b8e-8c6a-57b170325707
Result
Threat name:
Amadey, RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166660
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799432 Sample: bTzwfy3Jq7.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 76 Multi AV Scanner detection for domain / URL 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 10 other signatures 2->82 8 bTzwfy3Jq7.exe 4 2->8         started        12 nbveek.exe 2->12         started        14 nbveek.exe 2->14         started        16 4 other processes 2->16 process3 file4 56 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 8->56 dropped 58 C:\Users\user\...\nbveek.exe:Zone.Identifier, ASCII 8->58 dropped 114 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->114 116 Query firmware table information (likely to detect VMs) 8->116 118 Tries to evade analysis by execution special instruction (VM detection) 8->118 120 Tries to detect virtualization through RDTSC time measurements 8->120 18 nbveek.exe 1 23 8->18         started        122 Hides threads from debuggers 12->122 signatures5 process6 dnsIp7 60 5.75.139.35 HETZNER-ASDE Germany 18->60 62 167.235.69.31 ALBERTSONSUS United States 18->62 46 C:\Users\user\AppData\...\avicapn32.exe, PE32 18->46 dropped 48 C:\Users\user\AppData\Local\...\rwfacade.dll, PE32 18->48 dropped 50 C:\Users\user\AppData\...\umciavi32[1].exe, PE32 18->50 dropped 52 3 other malicious files 18->52 dropped 92 Multi AV Scanner detection for dropped file 18->92 94 Detected unpacking (creates a PE file in dynamic memory) 18->94 96 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->96 98 7 other signatures 18->98 23 umciavi32.exe 2 18->23         started        27 avicapn32.exe 1 16 18->27         started        30 rundll32.exe 18->30         started        32 2 other processes 18->32 file8 signatures9 process10 dnsIp11 54 C:\ProgramData\bitame\xaroqu.exe, PE32 23->54 dropped 100 Multi AV Scanner detection for dropped file 23->100 102 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->102 104 Query firmware table information (likely to detect VMs) 23->104 112 7 other signatures 23->112 34 InstallUtil.exe 4 23->34         started        68 79.137.195.205 PSKSET-ASRU Russian Federation 27->68 70 8.8.8.8 GOOGLEUS United States 27->70 72 192.168.2.1 unknown unknown 27->72 106 Detected unpacking (changes PE section rights) 27->106 108 Creates multiple autostart registry keys 27->108 74 212.118.36.165 CITYLAN-ASRU Russian Federation 30->74 110 System process connects to network (likely due to code injection or exploit) 30->110 38 conhost.exe 32->38         started        40 conhost.exe 32->40         started        42 cmd.exe 1 32->42         started        44 5 other processes 32->44 file12 signatures13 process14 dnsIp15 64 5.132.162.27 INTERNEX-ASAT Austria 34->64 66 162.55.188.246 ACPCA United States 34->66 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->86 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88 90 Tries to steal Crypto Currency Wallets 34->90 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-05 19:11:26 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wndurx2feuitwpoccleugkk3jqz6664vn2evax6vz5p6m3xgqrna._file
Verdict:
malicious
Similar samples:
05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1
Amadey
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
Amadey
3534fd0b617be19bf24f9b7ff1e98ab23b98aef40bbc2413554a4ec5e016997e
Amadey
774fa8863d2cb1747c338ef9023103d535715b30b6d5450a9ee146663d77c89b
Amadey
81ae7aea498cdd4d50470b3dcd54088d7bce5bf5f6019b08d9d558acd190cb4d
Amadey
83ad440cf8c2cdd99ec8b184590fe0e9138cccd686b2136eaddc2cdfcf85aecc
Amadey
a95ce284875645f9a3d03d5df48b51a04f6933b2cf10aff3cb0a094fb1e3f89d
Amadey
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
Amadey
+ 193 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/230206-qv874seb22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks computer location settings
Executes dropped EXE
Amadey
Malware Config
C2 Extraction:
5.75.139.35/so57Nst/index.php
Unpacked files
SH256 hash:
383fd2045975ffdb043d02305e892e9a4ce76268def63448283cdb9f2a4586c7
MD5 hash:
bf4ccfd1de288bf40777cf7d5f7cba3d
SHA1 hash:
b90ef4ad2b277ce85e007174cad70a309a580bbf
Link:
https://www.unpac.me/results/a90dd9c4-b637-427f-a2d7-513a3a55f6bd/
SH256 hash:
b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a
MD5 hash:
b7b3d9c39854372b2b4eca4213bab256
SHA1 hash:
533e7a9997de8e5fed702e623dc5d0c41df2d461
Link:
https://www.unpac.me/results/a90dd9c4-b637-427f-a2d7-513a3a55f6bd/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b34748df4525/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532085/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/360879/

Comments