MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 17

Intelligence 17 IOCs YARA 8 File information Comments

SHA256 hash:	baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16
SHA3-384 hash:	c3b598f35d63a22f4fec12a000ba7099560b227ccf69272b70674554cc2b10b5e2e84f7ada55e83e66cb1fe18655e13a
SHA1 hash:	fc6a5ef033a015d2598f78db21d43d9b63453f6d
MD5 hash:	f1ea2c0511d681d500a4e365f29a163d
humanhash:	lamp-sad-beryllium-queen
File name:	baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'173'504 bytes
First seen:	2023-05-14 18:30:28 UTC
Last seen:	2023-05-14 18:45:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:LydG5jN0v56FTTI6wed70/fRHnPCkStFcRxQVWkW/loHSZCbZiXaw:+dG55I5ITb0l6N3Vl6aHUCbv
Threatray	385 similar samples on MalwareBazaar
TLSH	T1D6452302BAF640B7DEB5237418F503870B35FD92AC608A165786AA1B9D733D4FA70736
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	JaffaCakes118
Tags:	Amadey

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16

Verdict:

Malicious activity

Analysis date:

2023-05-14 18:33:26 UTC

Tags:

rat redline trojan amadey loader

Link:

https://app.any.run/tasks/bd9cbead-748f-47ec-be6e-fbc2e3e8a5be

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/389449/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a service

Sending a custom TCP request

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Launching a process

Blocking the Windows Defender launch

Disabling the operating system update service

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/84170/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack.dll CAB confuserex installer packed packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/646128f1ed1a1a10659200cb/reports/a28e3229-3b53-4ecd-8a8f-1a1579cef609/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0025e2b-01f1-4d5d-820e-d9ba87932fa0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1233563

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-05-14 13:55:52 UTC

File Type:

PE (Exe)

Extracted files:

115

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xlzw56imzhl3vux6rzgu2o44xn2wp4nqgm7qgsjeacnle36mb4la._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:messi botnet:warum discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230514-w52tnsfa5z/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

185.161.248.75:4132

Unpacked files

SH256 hash:

6d597cb2623273a994d1c03fd5452d8fb6c81c74807a20ddfd96ec06cdfc9c97

MD5 hash:

53301a555e737ba969bf6694f2e07252

SHA1 hash:

b5b5fd38f8867cce1e4fc761ecb81873196185b3

Link:

https://www.unpac.me/results/65f05a43-7a78-417d-8146-8ce252fc6ac8/

SH256 hash:

ef614a0bae46690f55c4e5aa317ad5a49c82bae912f254eac57c02acac6be715

MD5 hash:

9c92be8b65a631c5400002e748967d56

SHA1 hash:

829ec86aa2a463a57d07ec0f1c378701218c7b9d

Link:

https://www.unpac.me/results/65f05a43-7a78-417d-8146-8ce252fc6ac8/

SH256 hash:

9cac0baf18f3acec7b2804e432bd0925d84287397714be4f6fbf439e0312cb33

MD5 hash:

2e43b60adf13e1a517a174b983f911ce

SHA1 hash:

ffb8c65644193c1047e463ecb42e1d352deafaf0

Detections:

redline

Link:

https://www.unpac.me/results/65f05a43-7a78-417d-8146-8ce252fc6ac8/

SH256 hash:

eecf9875f30af10765c2ed460ed5c4218020cfffff155de428faad436501b10d

MD5 hash:

c0928e887959c482e00d451c99699f12

SHA1 hash:

ac759a554d65a67fb08a571c851577eff6d88a41

Link:

https://www.unpac.me/results/65f05a43-7a78-417d-8146-8ce252fc6ac8/

SH256 hash:

097def1b5c0d76194d65e9c82cc063ef0f3a77797bfa36b957cf51e0d5d49395

MD5 hash:

226d20b6d1bb8d84a6b9b42acf0e2b29

SHA1 hash:

9f78d75c1cc3548f65ed837fa467f36afe007eaf

Link:

https://www.unpac.me/results/65f05a43-7a78-417d-8146-8ce252fc6ac8/

SH256 hash:

6689410799a62daabae3f45e19704270b8b9d278799aff189734a5edb66ce436

MD5 hash:

ca07c9dbd8dde17aee4c63c91e83f385

SHA1 hash:

e5df47e23f3fa2a4b9ce712907ba2f92dccf3299

Link:

https://www.unpac.me/results/65f05a43-7a78-417d-8146-8ce252fc6ac8/

SH256 hash:

baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16

MD5 hash:

f1ea2c0511d681d500a4e365f29a163d

SHA1 hash:

fc6a5ef033a015d2598f78db21d43d9b63453f6d

Link:

https://www.unpac.me/results/65f05a43-7a78-417d-8146-8ce252fc6ac8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/baf36ef90cc9d7bad2fe8e4d4d3b9cbb7567f1b0333f034924009ab26fcc0f16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_amadey_a9f4 Create hunting rule
Author:	Johannes Bader
Description:	matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389449/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample