MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b86770ada6724058d417fdfc1d0b1f0911a721601781f52e94c46434db49b9f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b86770ada6724058d417fdfc1d0b1f0911a721601781f52e94c46434db49b9f4
SHA3-384 hash: 5fbf4faa19d46c32816482e176d7e88e76dac9cfcc1fb42456dfce54778342c9dd450a73fd141430e8b2f069e3dfeb62
SHA1 hash: 5ed1b86b55ff6724b9ba74bad2c6260a53c89998
MD5 hash: a8b767059e7838308ffb2be29edf4fb2
humanhash: solar-seven-robert-three
File name:a8b767059e7838308ffb2be29edf4fb2.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:988'871 bytes
First seen:2023-06-18 16:16:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:6tLTyenMEh/rI+Ea4seWbh1/PjsrCe3NsGTzbEr6JeUc/X016JNHJPXFk2LxvTr2:6tieMEe+HeWXjsldP3
TLSH T1CE25DD9D725071DFC86BC4729EA81C64FA61B47B831F5203A42762EDAE4D99BCF140F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
83.97.73.129:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a8b767059e7838308ffb2be29edf4fb2.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 16:19:18 UTC
Tags:
amadey trojan rat redline loader
Link:
https://app.any.run/tasks/e2b7a979-04f3-429b-a52f-66ec1e210ead

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400190/
Detection(s):
Win.Malware.Trojanx-9862538-0
Create hunting rule

Win.Dropper.DarkKomet-9996788-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Launching a service
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex overlay packed packed
Link:
https://www.filescan.io/uploads/648f2dfef72229aa7a9bc880/reports/68513091-7bde-406e-a2eb-d7facbf95785/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b86770ada6724058d417fdfc1d0b1f0911a721601781f52e94c46434db49b9f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49ff0cc2-8e37-470e-a689-e73838ab5bfc
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256892
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889912 Sample: wD9BU7SJap.exe Startdate: 18/06/2023 Architecture: WINDOWS Score: 100 160 Snort IDS alert for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 15 other signatures 2->166 13 wD9BU7SJap.exe 1 2->13         started        17 oneetx.exe 2->17         started        19 foto166.exe 2->19         started        21 6 other processes 2->21 process3 file4 126 C:\Users\user\AppData\...\wD9BU7SJap.exe.log, CSV 13->126 dropped 210 Contains functionality to inject code into remote processes 13->210 212 Injects a PE file into a foreign processes 13->212 23 wD9BU7SJap.exe 4 13->23         started        26 wD9BU7SJap.exe 13->26         started        28 wD9BU7SJap.exe 13->28         started        30 oneetx.exe 17->30         started        32 oneetx.exe 17->32         started        34 oneetx.exe 17->34         started        36 x2182426.exe 19->36         started        signatures5 process6 file7 98 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 23->98 dropped 100 C:\Users\user\...\oneetx.exe:Zone.Identifier, ASCII 23->100 dropped 38 oneetx.exe 1 23->38         started        41 x3551133.exe 4 23->41         started        44 x3551133.exe 36->44         started        process8 file9 168 Antivirus detection for dropped file 38->168 170 Multi AV Scanner detection for dropped file 38->170 172 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->172 176 3 other signatures 38->176 46 oneetx.exe 2 24 38->46         started        51 conhost.exe 38->51         started        114 C:\Users\user\AppData\Local\...\g1928051.exe, PE32 41->114 dropped 116 C:\Users\user\AppData\Local\...\f6172000.exe, PE32 41->116 dropped 174 Machine Learning detection for dropped file 41->174 53 g1928051.exe 41->53         started        55 f6172000.exe 41->55         started        57 f6172000.exe 44->57         started        signatures10 process11 dnsIp12 138 77.91.124.20, 49696, 49697, 49703 ECOTEL-ASRU Russian Federation 46->138 140 192.168.2.1 unknown unknown 46->140 128 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 46->128 dropped 130 C:\Users\user\AppData\Local\...\fotod85.exe, PE32 46->130 dropped 132 C:\Users\user\AppData\Local\...\foto166.exe, PE32 46->132 dropped 136 3 other malicious files 46->136 dropped 144 Creates an undocumented autostart registry key 46->144 146 Creates multiple autostart registry keys 46->146 59 fotod85.exe 46->59         started        63 foto166.exe 1 4 46->63         started        65 cmd.exe 1 46->65         started        69 2 other processes 46->69 134 C:\Users\user\AppData\Local\...\rugen.exe, PE32 53->134 dropped 148 Antivirus detection for dropped file 53->148 150 Multi AV Scanner detection for dropped file 53->150 152 Machine Learning detection for dropped file 53->152 67 rugen.exe 53->67         started        142 83.97.73.129, 19071, 49769, 49833 UNACS-AS-BG8000BurgasBG Germany 55->142 154 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->154 156 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 55->156 158 Tries to harvest and steal browser information (history, passwords, etc) 57->158 file13 signatures14 process15 file16 118 C:\Users\user\AppData\Local\...\y4914277.exe, PE32 59->118 dropped 120 C:\Users\user\AppData\Local\...\n3338948.exe, PE32 59->120 dropped 198 Antivirus detection for dropped file 59->198 200 Machine Learning detection for dropped file 59->200 71 y4914277.exe 59->71         started        122 C:\Users\user\AppData\Local\...\x2182426.exe, PE32 63->122 dropped 124 C:\Users\user\AppData\Local\...\i6919409.exe, PE32 63->124 dropped 202 Multi AV Scanner detection for dropped file 63->202 75 x2182426.exe 1 4 63->75         started        204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->204 206 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 65->206 77 conhost.exe 65->77         started        79 cmd.exe 1 65->79         started        81 cacls.exe 1 65->81         started        85 4 other processes 65->85 208 Contains functionality to modify clipboard data 69->208 83 conhost.exe 69->83         started        signatures17 process18 file19 102 C:\Users\user\AppData\Local\...\y4953089.exe, PE32 71->102 dropped 104 C:\Users\user\AppData\Local\...\m2095191.exe, PE32 71->104 dropped 178 Antivirus detection for dropped file 71->178 180 Machine Learning detection for dropped file 71->180 87 y4953089.exe 71->87         started        106 C:\Users\user\AppData\Local\...\x3551133.exe, PE32 75->106 dropped 108 C:\Users\user\AppData\Local\...\h9207317.exe, PE32 75->108 dropped signatures20 process21 file22 110 C:\Users\user\AppData\Local\...\k5779089.exe, PE32 87->110 dropped 112 C:\Users\user\AppData\Local\...\j4648382.exe, PE32 87->112 dropped 182 Antivirus detection for dropped file 87->182 184 Machine Learning detection for dropped file 87->184 91 k5779089.exe 87->91         started        94 j4648382.exe 87->94         started        signatures23 process24 signatures25 186 Antivirus detection for dropped file 91->186 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 91->188 190 Machine Learning detection for dropped file 91->190 192 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 91->192 194 Disable Windows Defender notifications (registry) 94->194 196 Disable Windows Defender real time protection (registry) 94->196 96 conhost.exe 94->96         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b86770ada6724058d417fdfc1d0b1f0911a721601781f52e94c46434db49b9f4/
Threat name:
Win32.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-05-21 23:45:39 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbtxblngojafrvax7x6b2cy7bei2oilac6a7kluuyrsdjw2jxh2a._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:duza botnet:jason discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230618-trcarahd41/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.124.20/store/games/index.php
83.97.73.129:19071
77.91.68.63/doma/net/index.php
Unpacked files
SH256 hash:
7560bd490edfc33c287b53201060257e3625c6f8fdd6f6cea157309a4186e3ec
MD5 hash:
2b38cbd6ab360d89c89f88d6d2ae5316
SHA1 hash:
6ee5e281100617a7cfa1e323689261960fc40208
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/f8b3313d-0e7c-461f-96ab-4e6f705372a6/
Parent samples :
fecf856b99edb62d300108f908c3fd958e74291ab84f9f3114caaaf9de229680
51e5520f9b6317221e6069757239b4d8155066ec80e2d7aa10e4f52e23b0eefa
52d4d3e90bf2066eb34e4681e7974c6993ea4194a196f3f64f342f93101ae560
24529ca8c312800e6fd3dc743b39ad784a97ba4d6de5268480b4abc9d3001ed1
05aa031d9569d15e4c57f3592e220ff6721ae363fcd4f17cbce5356a1572c3e6
6b23916e3a5ad2f16bda396719bdc193f11fc2db3a12ada108e1c6fad101ebe4
e09c2f61ed9dbedc183027d54d775a325048a56d9fe911b3c1c274c5832dc6de
3ce8e7bfd632b8f18c70c080212e794e3fec697ae715729960dbdac9668b6b48
68a02de775344d70c4ef33c00996221d64a826a890c163b5a6ebabc166746c0d
3df0c2859745cc05a0ffcaad7766acf43af7810d40002f72e5486f54d78c07ee
d83be445ccac2d1f61ce9057a4dedb2ce4774f4785ba751b6da2aa5dfbcec94d
d95aac3ab85c4141a9c8536efc95030d829b586e8a7749cfcac4b89773f87e72
5b9e7b70c820e2fb2f447a98ac7fe01d0d8c701f676e9efe7bfb5302e8ea7327
15e9ba88a28765d93b02f29f9d9eb6f800a357b6183cc6bb567c48ae49b2807e
b86770ada6724058d417fdfc1d0b1f0911a721601781f52e94c46434db49b9f4
b7e5284da48e43038ff4339ce23f9d688a0735ae917040cecaa5569b228e269c
8d9439129649c7faf4217f0417d8e3e8f59a6893b7bfcc519099fc40614d9740
ec00f5b3ff9be2f07ccb3c82fabee1c3f15c19c7d0d2a4c8f4cc3d45f4bd27d1
SH256 hash:
b86770ada6724058d417fdfc1d0b1f0911a721601781f52e94c46434db49b9f4
MD5 hash:
a8b767059e7838308ffb2be29edf4fb2
SHA1 hash:
5ed1b86b55ff6724b9ba74bad2c6260a53c89998
Link:
https://www.unpac.me/results/f8b3313d-0e7c-461f-96ab-4e6f705372a6/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b86770ada672/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b86770ada6724058d417fdfc1d0b1f0911a721601781f52e94c46434db49b9f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400190/

Comments