MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34
SHA3-384 hash: 210a57eeb9fef12d533fd024ccc1ef5bdc09c9af6de3843e94579af279f105432b1673c6f27682645f06cfbad6307609
SHA1 hash: d36bf939a4cf6ed710ff083306b8e3e20ed9e437
MD5 hash: 18744d81b074ea24f489b58b430b7d9c
humanhash: beer-sink-twenty-mike
File name:B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:6'568'426 bytes
First seen:2022-06-08 19:32:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:Jy/6U5zwp6+oaFYJa/MLHmTSeOKT3b/Rtvo:Jy/6AMoa2JGMLm2exL/RtQ
TLSH T1576633A83B116CEFDDAA91370FED57108D57B3DF00C273028B78250E6D189696EA97D2
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
185.174.101.76:45108

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.174.101.76:45108 https://threatfox.abuse.ch/ioc/673941/
http://185.215.113.15/Lkb2dxj3/index.php https://threatfox.abuse.ch/ioc/673942/
95.182.121.218:80 https://threatfox.abuse.ch/ioc/673943/

Intelligence

File Origin
# of uploads :
1
# of downloads :
469
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe
Verdict:
No threats detected
Analysis date:
2022-06-08 19:37:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a2feb0f-a77c-44ef-9d47-3672e9b95912

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277883/
Detection(s):
SecuriteInfo.com.Variant.Zusy.354347.UNOFFICIAL
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys control.exe mokes overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62a0f976c221aaaa25c19f0b/reports/e43898bc-2125-4d03-9ec5-fbb7135ba3a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebfc4ad7-09ee-4045-b5ba-6c04509ae587
Result
Threat name:
Nymaim, RedLine, SmokeLoader, Socelars,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009352
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Binary or sample is protected by dotNetProtector
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 641848 Sample: B9BA3633E6AE613C553BB7311AF... Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 68 ip-api.com 208.95.112.1, 49753, 80 TUT-ASUS United States 2->68 70 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->70 72 18 other IPs or domains 2->72 94 Snort IDS alert for network traffic 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 28 other signatures 2->100 10 B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 24 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\...\Tue22edcc71bba.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Tue22dead8ba66.exe, PE32 13->52 dropped 54 19 other files (14 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 64 127.0.0.1 unknown unknown 16->64 66 wensela.xyz 16->66 88 Performs DNS queries to domains with low reputation 16->88 90 Adds a directory exclusion to Windows Defender 16->90 92 Disables Windows Defender (via service or powershell) 16->92 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 7 other processes 16->26 signatures10 process11 signatures12 29 Tue22144d94096209a.exe 20->29         started        34 Tue22a2f1d85288dc91e.exe 22->34         started        36 Tue224a0143b0.exe 24->36         started        102 Adds a directory exclusion to Windows Defender 26->102 104 Disables Windows Defender (via service or powershell) 26->104 38 Tue228409ba5788.exe 26->38         started        40 Tue2205061ee61ad04c.exe 26->40         started        42 Tue2263f1213b8.exe 26->42         started        44 2 other processes 26->44 process13 dnsIp14 74 85.202.169.116, 49762, 49771, 80 GUDAEV-ASRU Netherlands 29->74 76 162.214.79.75 UNIFIEDLAYER-AS-1US United States 29->76 86 10 other IPs or domains 29->86 56 C:\Users\user\Pictures\...\file5.exe.exe, PE32 29->56 dropped 58 C:\Users\user\AppData\Local\...\wam[1].exe, PE32+ 29->58 dropped 60 C:\Users\user\...\TrdngAnlzr649[1].exe, PE32 29->60 dropped 62 17 other files (7 malicious) 29->62 dropped 106 Antivirus detection for dropped file 29->106 108 May check the online IP address of the machine 29->108 110 Creates HTML files with .exe extension (expired dropper behavior) 29->110 114 2 other signatures 29->114 78 iplogger.org 148.251.234.83, 443, 49752, 49770 HETZNER-ASDE Germany 34->78 80 www.listincode.com 199.59.242.150, 443, 49747 BODIS-NJUS United States 34->80 112 Machine Learning detection for dropped file 34->112 82 cdn.discordapp.com 162.159.133.233, 443, 49744, 49758 CLOUDFLARENETUS United States 36->82 84 panelbot.webtm.ru 92.53.96.150, 49749, 80 TIMEWEB-ASRU Russian Federation 38->84 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 11:51:44 UTC
File Type:
PE (Exe)
Extracted files:
170
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xg5dmm7gvzqtyvj3w4yrv75zoo25hrpudxs2tzprwbemwlg2ri2a._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:onlylogger family:redline family:socelars botnet:chris botnet:media26 botnet:pub2 aspackv2 discovery evasion infostealer loader ransomware spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/220608-x9hf9saae5/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
AutoIT Executable
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
91.121.67.60:23325
185.215.113.46:80
194.104.136.5:46013
http://zfko.org/test3/get.php
Unpacked files
SH256 hash:
ffb0fcede542fa2a31553073105b74f85e3a6d92987392dcce5e5e49743c878b
MD5 hash:
688bb186be4be7a4e668f4dff71ce220
SHA1 hash:
bc06b533f88e5260bdb9f63d19bac9fe71ee5c64
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
7ad9edd79f03fb782d1a8490f9b56ea25f8e9cd33f10ca5017f8ff5aac6b5eda
MD5 hash:
1ee5fb8981ebc7fb9ddacb9d8607d35c
SHA1 hash:
eefc86ed0839384d351d7229fea251714a5cae1e
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
e297e89e11933aa6fc67cbd8da44fc0f6b8d8030166738b111b31673d41e4d19
MD5 hash:
2a2667d1fbcd8fde9ca0bd6f50827c79
SHA1 hash:
f6838f02651e1430613bf78de99e240dbcb8d3c7
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
92bc70b3e7e6c99bc93dec85ecd8db8b101a766917bee4967d36b20f5522ff57
MD5 hash:
b78915e5316a375923d57cd80d805845
SHA1 hash:
5ad907aa1adc5f7899a9304b4e814b381e4909de
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
c58864f83621d81a5054403310f4bff876321bbfb93c62ed9a9d6e2153681a4e
MD5 hash:
7b075d4fee20763ec3d3a86177f56318
SHA1 hash:
f86577ebc1c0b33577c44f4a63ace3840de2954f
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
eb8ffea34c1766bf42f4118fee7407047f71815ef92dec221121baf95338460d
MD5 hash:
138a0694a61a8f01bec3075df64aba30
SHA1 hash:
db4e3180dc492536e7d6a42f086c9b2b4c133e13
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
2c964c5070502f6000bbb3f66f200a18ac7c394c5d6764c1d1f726783959d40a
MD5 hash:
5b68c333ae0c1d013619eda08f6665db
SHA1 hash:
d616077f94916d44662b6c6bf19b177e32454559
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
704c6bcf41150349889935a9541e66b1ac723314c66dfccd29a4cafbc926c066
MD5 hash:
cfd3f8532eb10e43c0584fcc320ac184
SHA1 hash:
c8d0fc846372cd54fdefc35bbd75efa1c8c2137e
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
02418488d591179e80530f6f311c86f16b6e7c0dd1743246fd29cfec406e4cef
MD5 hash:
75a68b5263acaedd105324b37baad7a6
SHA1 hash:
b16f547564dabae53775cb1c81da3c6c5ffe6622
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
639cabb90c1dea9d5fd5b146606de79e2fa45a1a52d4b60da6591bbd230cc0e0
MD5 hash:
ada33095dd61cac649a68d89a607eca7
SHA1 hash:
9ec496c66ec36cda254bd69588b751f7495e3dce
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
41de2cbd96331716cca12da5b2f79991b057fa28b4b7041832cbb4758268593e
MD5 hash:
32ef7fd872e526d7bf630a6c69f14d2b
SHA1 hash:
7c4dd744df6421e65aac0517268a5b9dde93f3c0
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
eb2beb14afe375a6b1fadafea434d8648a63e68a27b6b5923ecfdac40318e1cb
MD5 hash:
c8dc59b999863c9f4caf49718283fdfc
SHA1 hash:
6f3c65ba58243d8630ea107037ee043b29465a7c
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
e8727c5e9114f3234d77075effca68c32072c6cb18377762da8c7c5c4bc7b650
MD5 hash:
769483334615f2ad86cbc8d4490fe1bf
SHA1 hash:
24153cc67f9ee102e63caa1877cc9ef3075b5363
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
66dffb7e752682db54a784f76e582c6592bc8ff5def22690b7443ac8162d6de5
MD5 hash:
8b7e8e532ea51e4aea098a3f72d5602c
SHA1 hash:
0723a7853c72380c77607f979c5f88a2a71e8bad
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
18c5c91d5f256c8c1e24936dbee5fd7fa6b7b91a5464cbefdc1a36b6dfed27be
MD5 hash:
e49f343a65b938acd1b6d91601240b81
SHA1 hash:
dffa8a42250c65ea9b6b05e627805438e01191af
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
60b93788bf891eff4308710c136caca60713d13e99a48422d87a99fafb46719e
MD5 hash:
e04e04817f15889977ce0889d2b9b7a8
SHA1 hash:
9d84243b07c4896d0f587ee6e0aceda21bf4746e
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
aabc5559ac868125596495c379924f58756f104bae8e8975a6c03ecbe397e4f5
MD5 hash:
2178102fe9fc5a9027bcdccfd34b2e54
SHA1 hash:
7ba7cf5ddaa924c3dbc039b0a6b49b7b4bb1e4c3
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
0bbda5f2323ba1310403aad32a9a5a05b3530f25744430c8280840ccddbf45e6
MD5 hash:
75cca643b50d7f2baaaad90bb002d255
SHA1 hash:
db390284b3a39d1c3a0e106c84356dd9afe4fc61
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
ca118ace765cd5ef38595df8cd4dde6b76aabe62299b6485ace3140c5d9cc670
MD5 hash:
69bd2293a348c5413abae9cad0cfa707
SHA1 hash:
314351fcb568c866738ca351b2fdee71de4bc980
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
SH256 hash:
b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34
MD5 hash:
18744d81b074ea24f489b58b430b7d9c
SHA1 hash:
d36bf939a4cf6ed710ff083306b8e3e20ed9e437
Link:
https://www.unpac.me/results/23b763cf-9515-4200-a85f-2ce00694a587/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9ba3633e6ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277883/

Comments