MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab
SHA3-384 hash: d44f64b934195a24cb54c92b72285d54df930566f5f3afe67904ab778a7d930601019b8ccb6286a4fda112d29c30a77d
SHA1 hash: dc65c36948e054d7c0c25f8665efb46a857e35e0
MD5 hash: ba1dc6c5bcc3b5ec8081a751deed2e44
humanhash: hotel-indigo-yankee-item
File name:bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef2.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'486'544 bytes
First seen:2024-01-08 14:15:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 581888de79fcdf75008ceca30e43e69e (1 x Amadey)
ssdeep 49152:8r+K7znqlVMWK8UVXQtWEQe82gLYZyxuw:w+qnqlKWbUV2/Z2
TLSH T1F6B58D31B2F5427DE1B2953088A657F5DA757F104B308ACB2354FA293D326D1AA3A3F1
TrID 31.4% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
23.5% (.EXE) InstallShield setup (43053/19/16)
17.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
dhash icon 70f8b8b8b8d8e070 (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://rubyonthewal.xyz/g9jjjbnAdshZ/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab.exe
Verdict:
Malicious activity
Analysis date:
2024-01-08 14:16:05 UTC
Tags:
amadey botnet stealer
Link:
https://app.any.run/tasks/2d5c8e2c-619d-42f4-bcaa-9d2a3fcd80fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469873/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Launching a process
Creating a file
DNS request
Sending an HTTP POST request
Delayed reading of the file
Sending a custom TCP request
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypto evasive explorer greyware hook keylogger lolbin overlay redcap rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/659c03a399da41ccd7cad2bb/reports/c052a9db-efbd-4315-9cd6-a4224ed85d8b/overview
Verdict:
Malicious
Labled as:
Trojan[Downloader]/Deyma
Link:
https://www.hybrid-analysis.com/sample/bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e205e00e-0409-4656-a7d5-e984e619194d
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1371250
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to disable network adapters
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found Tor onion address
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1371250 Sample: bca1b830105b7ffeae00fea5f3a... Startdate: 08/01/2024 Architecture: WINDOWS Score: 100 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Amadeys stealer DLL 2->59 8 bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef2.exe 4 2->8         started        12 rundll32.exe 2->12         started        14 augloopclient.exe 2->14         started        16 5 other processes 2->16 process3 file4 39 C:\Users\user\AppData\...\augloopclient.exe, PE32 8->39 dropped 71 Contains functionality to inject code into remote processes 8->71 73 Contains functionality to disable network adapters 8->73 18 augloopclient.exe 1 17 8->18         started        23 rundll32.exe 12->23         started        signatures5 process6 dnsIp7 41 104.21.50.151 CLOUDFLARENETUS United States 18->41 43 172.67.163.238 CLOUDFLARENETUS United States 18->43 45 2 other IPs or domains 18->45 35 C:\Users\user\AppData\Local\...\mip_core.dll, PE32 18->35 dropped 37 C:\Users\user\AppData\...\mip_core[1].dll, PE32 18->37 dropped 61 Antivirus detection for dropped file 18->61 63 Multi AV Scanner detection for dropped file 18->63 65 Creates an undocumented autostart registry key 18->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 18->67 25 rundll32.exe 1 18->25         started        29 schtasks.exe 1 18->29         started        69 Found Tor onion address 23->69 31 WerFault.exe 21 23->31         started        file8 signatures9 process10 dnsIp11 47 195.2.70.38 VDSINA-ASRU Russian Federation 25->47 49 94.103.90.9 VDSINA-ASRU Russian Federation 25->49 51 38.180.61.247 COGENT-174US United States 25->51 75 System process connects to network (likely due to code injection or exploit) 25->75 77 Found Tor onion address 25->77 79 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 25->79 33 conhost.exe 29->33         started        signatures12 process13
Score:
9%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-01-07 18:49:00 UTC
File Type:
PE (Exe)
Extracted files:
332
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsq3qmaqln775lqa72s7hkmtlbwqxbpj4pxsdw3mof2x6kwtfwvq._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey persistence trojan
Link:
https://tria.ge/reports/240108-rk413scch7/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Amadey
Malware Config
C2 Extraction:
http://rubyonthewal.xyz
Unpacked files
SH256 hash:
ab8c52813cd42b3ea5a6c54bdbad61a2787329fa643c788c84f889515a22ac66
MD5 hash:
5bf74d5159ead64800175bbedc3bb504
SHA1 hash:
cdef3994cc5c399d121e1a45b273f9aeef997887
Detections:
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/89132d09-c06a-4aa3-8b0b-c6794d9f7c31/
SH256 hash:
c0a2d53efc8609e93f240dbc63f2f0ffb57014a93a6f56cacd9c1914316d3691
MD5 hash:
391b0837c8449db65868678cf42f066a
SHA1 hash:
3fbfc5cebb60a7e28f42fffcf7705c9c3a2ce64e
Link:
https://www.unpac.me/results/89132d09-c06a-4aa3-8b0b-c6794d9f7c31/
SH256 hash:
93894609e3365b62fbb4d5b4219b4199a271888160669c33dbaadbbaf5aff087
MD5 hash:
b8b62fcf0a2f220660dddb310e7e3e0f
SHA1 hash:
da0d682c7bb82fa6d05ed12f88c8666d5e890dc6
Link:
https://www.unpac.me/results/89132d09-c06a-4aa3-8b0b-c6794d9f7c31/
SH256 hash:
bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab
MD5 hash:
ba1dc6c5bcc3b5ec8081a751deed2e44
SHA1 hash:
dc65c36948e054d7c0c25f8665efb46a857e35e0
Link:
https://www.unpac.me/results/89132d09-c06a-4aa3-8b0b-c6794d9f7c31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bca1b830105b7ffeae00fea5f3a993586d0b85e9e3ef21db6c71757f2ad32dab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.amadey.
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469873/

Comments