MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
SHA3-384 hash: 709d42762160b67bbb125a0695725b737a1efa15b82f712c7841e49f84f92423856dd2c9a7d023fec6520e2f0d017f84
SHA1 hash: 7449eecd5006784372a71b1f9f05f74bbe0cd0c7
MD5 hash: bb13f6d819f3b18ebbfe1fb2e0d6c1ed
humanhash: enemy-india-uncle-whiskey
File name:bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:349'184 bytes
First seen:2021-10-27 17:11:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54b7441daab015de527306d3c41aca4d (1 x Amadey, 1 x Stop, 1 x RedLineStealer)
ssdeep 3072:YoFBN30hy4UXMi6jh7dscqru5VOfemNPinjgENQMysiAPfaGF6kGv9U/8MNmNC/0:HrlVYX+KNd2siAKGYk+28MN4IqSE
Threatray 5'186 similar samples on MalwareBazaar
TLSH T131747C01B6A1C035F6B752F849B693A9B93F79B16B3490CF12D526EE4A746E0EC31307
File icon (PE):PE icon
dhash icon b6dacaaecee6aaa6 (1 x Amadey, 1 x Stop)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
185.244.181.71:2119

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.244.181.71:2119 https://threatfox.abuse.ch/ioc/238433/

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-27 16:55:36 UTC
Tags:
trojan rat redline evasion loader stealer vidar opendir
Link:
https://app.any.run/tasks/20bfd2cf-bd27-4a75-9880-d7c2063edc1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200673/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.17016.2558.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61798864a9d585e6d53b974d/reports/67183f1f-9d1d-414c-90d4-d080ad4beb3a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbee86c3-df5c-43e7-8d6e-0fb1d0df190a
Result
Threat name:
Amadey Djvu Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877972
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Djvu Ransomware
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510405 Sample: sboPQqfpHN.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 79 ttmirror.top 2->79 81 teletele.top 2->81 83 3 other IPs or domains 2->83 105 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->105 107 Multi AV Scanner detection for domain / URL 2->107 109 Antivirus detection for URL or domain 2->109 111 13 other signatures 2->111 12 sboPQqfpHN.exe 2->12         started        15 uducrab 2->15         started        17 sqtvvs.exe 2->17         started        signatures3 process4 signatures5 147 Contains functionality to inject code into remote processes 12->147 149 Injects a PE file into a foreign processes 12->149 19 sboPQqfpHN.exe 12->19         started        151 Machine Learning detection for dropped file 15->151 22 uducrab 15->22         started        process6 signatures7 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->113 115 Maps a DLL or memory area into another process 19->115 117 Checks if the current machine is a virtual machine (disk enumeration) 19->117 119 Creates a thread in another existing process (thread injection) 19->119 24 explorer.exe 10 19->24 injected process8 dnsIp9 91 216.128.137.31, 80 AS-CHOOPAUS United States 24->91 93 znpst.top 189.232.62.153, 49869, 80 UninetSAdeCVMX Mexico 24->93 95 7 other IPs or domains 24->95 63 C:\Users\user\AppData\Roaming\uducrab, PE32 24->63 dropped 65 C:\Users\user\AppData\Local\Temp\FB59.exe, PE32 24->65 dropped 67 C:\Users\user\AppData\Local\Temp\F703.exe, PE32 24->67 dropped 69 11 other malicious files 24->69 dropped 123 System process connects to network (likely due to code injection or exploit) 24->123 125 Benign windows process drops PE files 24->125 127 Deletes itself after installation 24->127 129 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->129 29 FB59.exe 4 24->29         started        33 E938.exe 1 24->33         started        35 B25A.exe 24->35         started        37 8 other processes 24->37 file10 signatures11 process12 dnsIp13 75 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 29->75 dropped 153 Detected unpacking (changes PE section rights) 29->153 155 Machine Learning detection for dropped file 29->155 40 sqtvvs.exe 29->40         started        77 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 33->77 dropped 157 DLL reload attack detected 33->157 159 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->159 161 Renames NTDLL to bypass HIPS 33->161 169 3 other signatures 33->169 163 Injects a PE file into a foreign processes 35->163 45 B25A.exe 35->45         started        85 93.115.20.139, 28978, 49879 MVPShttpswwwmvpsnetEU Romania 37->85 87 162.159.129.233, 443, 49841, 49890 CLOUDFLARENETUS United States 37->87 89 4 other IPs or domains 37->89 165 Antivirus detection for dropped file 37->165 167 Detected unpacking (overwrites its own PE header) 37->167 47 54D.exe 37->47         started        file14 signatures15 process16 dnsIp17 97 185.215.113.45, 49833, 49834, 49847 WHOLESALECONNECTIONSNL Portugal 40->97 99 hwg.jelikob.ru 40->99 71 C:\Users\user\AppData\Local\...\126808361.exe, PE32 40->71 dropped 73 C:\Users\user\AppData\...\126808361[1].exe, PE32 40->73 dropped 131 Multi AV Scanner detection for dropped file 40->131 133 Detected unpacking (changes PE section rights) 40->133 135 Machine Learning detection for dropped file 40->135 137 Uses schtasks.exe or at.exe to add and modify task schedules 40->137 49 126808361.exe 40->49         started        52 cmd.exe 40->52         started        54 schtasks.exe 40->54         started        139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->139 141 Maps a DLL or memory area into another process 45->141 143 Checks if the current machine is a virtual machine (disk enumeration) 45->143 145 Creates a thread in another existing process (thread injection) 45->145 file18 signatures19 process20 signatures21 101 Multi AV Scanner detection for dropped file 49->101 103 Machine Learning detection for dropped file 49->103 56 reg.exe 52->56         started        59 conhost.exe 52->59         started        61 conhost.exe 54->61         started        process22 signatures23 121 Creates an undocumented autostart registry key 56->121
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 17:12:06 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlcl3kvopwtchj52agqn37uapqufunvpu3ofajbj2qd3u4h2jjzq._file
Verdict:
malicious
Similar samples:
33e40835a9c6e471ece9819aa162eab8327e17967d5952468e33ecdebad7c3b0
Amadey
6d7596a48c5e95b3f42a58b09348c4293f92a0a6738c5850856bf1a5b323a6a8
Amadey
be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881
Amadey
c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94
Amadey
d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed
Amadey
eb8f89f434eb8bd8b40a2479555ae558e99009fa0d290df552fd69132b3782d2
Amadey
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
Amadey
+ 5'176 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:bazarloader family:raccoon family:redline family:smokeloader family:vidar botnet:04256a88c32735dbae9e9e965ae6cfecb37a8ec5 botnet:11111 botnet:60e59be328fbd2ebac1839ea99411dccb00a6f49 botnet:706 botnet:754 botnet:b6c3d41f039fbc353edce408d14ca491fee838d3 botnet:money-2021 botnet:z0rm1on backdoor discovery dropper infostealer loader spyware stealer trojan
Link:
https://tria.ge/reports/211027-vqtzvafge9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Bazar/Team9 Loader payload
Vidar Stealer
Amadey
Bazar Loader
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
93.115.20.139:28978
https://mas.to/@lilocc
185.215.113.45/g4MbvE/index.php
185.215.113.94:15564
2.56.214.190:59628
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/0adbbe33-f3cf-429b-9fa1-98123f9c3d9d/
SH256 hash:
bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
MD5 hash:
bb13f6d819f3b18ebbfe1fb2e0d6c1ed
SHA1 hash:
7449eecd5006784372a71b1f9f05f74bbe0cd0c7
Link:
https://www.unpac.me/results/0adbbe33-f3cf-429b-9fa1-98123f9c3d9d/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bac4bdaaae7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/200673/

Comments