MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982
SHA3-384 hash: a10bbe59c63149f077d302823c4abf143d3a32edc39dd9d4ba513909b3d8ae95c8d0611d067638a7b722023c52ee45bb
SHA1 hash: 651a6272114a9ef6ed3039a5da41a1f0bfb03e9e
MD5 hash: 6e66aea8d0d6a8e404ccc60bb32a99f3
humanhash: fourteen-oven-cardinal-stream
File name:6e66aea8d0d6a8e404ccc60bb32a99f3.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'873'408 bytes
First seen:2024-09-06 07:24:48 UTC
Last seen:2024-09-06 08:32:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:r49w1qMB2mWX1R3Bk0b2wZ+SE+UgUfjOmxiAr0o8PjFO0/F:rQC2lX1R3B3b2u+SE+UlfjPiAIompz
TLSH T17285331ABD74B331CA9E38B66DCF0BB32C253AF3535C109AD1240675731727AFAA9491
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
414
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
6e66aea8d0d6a8e404ccc60bb32a99f3.exe
Verdict:
Malicious activity
Analysis date:
2024-09-06 07:52:50 UTC
Tags:
amadey botnet stealer themida
Link:
https://app.any.run/tasks/8493130c-958e-4575-9875-816388267dd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader47.34772.16889.4546.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66daae5a8e12b8124ac959c4
Tags:
Infostealer Network Stealth Trojan Variant
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66daae59362fc3477390a381/reports/56cd1412-ae01-4ff5-9b51-0246f51b5c41/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0d2812fa-37e7-4295-9417-7d7ee8fff2da
Result
Threat name:
PureCrypter, LummaC, Amadey, Clipboard H
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1505447
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Drops large PE files
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected Cryptbot
Yara detected CryptOne packer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505447 Sample: g082Q9DajU.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 150 Found malware configuration 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 Antivirus / Scanner detection for submitted sample 2->154 156 22 other signatures 2->156 9 axplong.exe 1 46 2->9         started        14 g082Q9DajU.exe 5 2->14         started        16 runtime.exe 2->16         started        18 6 other processes 2->18 process3 dnsIp4 128 185.215.113.117 WHOLESALECONNECTIONSNL Portugal 9->128 130 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->130 132 185.215.113.26 WHOLESALECONNECTIONSNL Portugal 9->132 92 C:\Users\user\AppData\Local\...\5KNCHALAH.exe, PE32+ 9->92 dropped 94 C:\Users\user\AppData\Local\...\bundle.exe, PE32 9->94 dropped 96 C:\Users\user\AppData\Local\...\penis.exe, PE32 9->96 dropped 106 19 other malicious files 9->106 dropped 206 Creates multiple autostart registry keys 9->206 208 Hides threads from debuggers 9->208 210 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->210 20 needmoney.exe 9->20         started        24 runtime.exe 9->24         started        27 stealc_default2.exe 9->27         started        39 8 other processes 9->39 98 C:\Users\user\AppData\Local\...\axplong.exe, PE32 14->98 dropped 100 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 14->100 dropped 212 Detected unpacking (changes PE section rights) 14->212 214 Tries to evade debugger and weak emulator (self modifying code) 14->214 216 Tries to detect virtualization through RDTSC time measurements 14->216 29 axplong.exe 14->29         started        218 Writes to foreign memory regions 16->218 220 Allocates memory in foreign processes 16->220 222 Injects a PE file into a foreign processes 16->222 31 cmd.exe 16->31         started        33 AppLaunch.exe 16->33         started        35 AppLaunch.exe 16->35         started        134 154.216.17.216 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 18->134 102 C:\Users\user\AppData\Local\...\joffer2.exe, PE32 18->102 dropped 104 C:\Users\user\AppData\...\joffer2[1].exe, PE32 18->104 dropped 224 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->224 37 BitLockerToGo.exe 18->37         started        file5 signatures6 process7 dnsIp8 76 C:\Users\user\AppData\...\svchost015.exe, PE32 20->76 dropped 158 Multi AV Scanner detection for dropped file 20->158 174 3 other signatures 20->174 41 svchost015.exe 20->41         started        118 185.215.113.19 WHOLESALECONNECTIONSNL Portugal 24->118 176 2 other signatures 24->176 45 AppLaunch.exe 24->45         started        48 cmd.exe 24->48         started        50 AppLaunch.exe 24->50         started        120 185.215.113.17 WHOLESALECONNECTIONSNL Portugal 27->120 78 C:\Users\user\AppData\...\softokn3[1].dll, PE32 27->78 dropped 80 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 27->80 dropped 82 C:\Users\user\AppData\...\mozglue[1].dll, PE32 27->82 dropped 90 9 other files (5 malicious) 27->90 dropped 160 Tries to steal Mail credentials (via file / registry access) 27->160 162 Found many strings related to Crypto-Wallets (likely being stolen) 27->162 178 2 other signatures 27->178 164 Detected unpacking (changes PE section rights) 29->164 166 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->166 180 5 other signatures 29->180 52 conhost.exe 31->52         started        122 176.150.119.15 BOUYGTEL-ISPFR France 39->122 124 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 39->124 126 195.133.48.136 MTW-ASRU Russian Federation 39->126 84 C:\Users\user\AppData\...\service123.exe, PE32 39->84 dropped 86 C:\Users\user\...\rgqzVBZOCfumjeaMDHRm.dll, PE32 39->86 dropped 88 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 39->88 dropped 168 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->168 170 Machine Learning detection for dropped file 39->170 172 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->172 182 5 other signatures 39->182 54 RegAsm.exe 39->54         started        56 RegAsm.exe 6 24 39->56         started        58 Hkbsse.exe 39->58         started        60 3 other processes 39->60 file9 signatures10 process11 dnsIp12 136 91.202.233.158 M247GB Russian Federation 41->136 184 Tries to steal Mail credentials (via file / registry access) 41->184 186 Tries to harvest and steal ftp login credentials 41->186 188 Tries to harvest and steal browser information (history, passwords, etc) 41->188 190 Tries to harvest and steal Bitcoin Wallet information 41->190 138 103.130.147.211 MYREPUBLIC-AS-IDPTEkaMasRepublikID Turkey 45->138 108 C:\Users\user\AppData\Local\...\Channel3.exe, PE32 45->108 dropped 110 C:\Users\user\AppData\...\Channel3[1].exe, PE32 45->110 dropped 62 Channel3.exe 45->62         started        112 C:\Users\user\Pictures\...\runtime.exe, PE32 48->112 dropped 192 Uses schtasks.exe or at.exe to add and modify task schedules 48->192 66 conhost.exe 48->66         started        68 schtasks.exe 48->68         started        114 C:\Users\user\AppData\...\vzVy6ZevhK.exe, PE32 54->114 dropped 116 C:\Users\user\AppData\...\c4W13ZFj1P.exe, PE32 54->116 dropped 194 Found many strings related to Crypto-Wallets (likely being stolen) 54->194 70 vzVy6ZevhK.exe 54->70         started        72 c4W13ZFj1P.exe 54->72         started        140 95.179.250.45 AS-CHOOPAUS Netherlands 56->140 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->196 198 Installs new ROOT certificates 56->198 200 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->200 202 Tries to steal Crypto Currency Wallets 56->202 204 Multi AV Scanner detection for dropped file 58->204 142 104.21.10.172 CLOUDFLARENETUS United States 60->142 144 188.114.97.3 CLOUDFLARENETUS European Union 60->144 file13 signatures14 process15 dnsIp16 146 195.133.13.230 AS-REGRU Russian Federation 62->146 226 Multi AV Scanner detection for dropped file 62->226 228 Tries to harvest and steal browser information (history, passwords, etc) 62->228 148 65.21.18.51 CP-ASDE United States 70->148 230 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->230 232 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->232 234 Tries to steal Crypto Currency Wallets 70->234 236 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 72->236 74 conhost.exe 72->74         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-02 22:47:14 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yh56dzly2mv7gs3mfgyg2ajpkqvkyngn6oxtknroddviofdrngba._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:lumma family:redline family:stealc botnet:@cloudytteam botnet:bundle botnet:default botnet:default2 botnet:fed3aa botnet:livetraffic credential_access discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/240906-h8za3atcpj/
Behaviour
Checks processor information in registry
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
CryptBot
Lumma Stealer, LummaC
RedLine
RedLine payload
Stealc
Malware Config
C2 Extraction:
http://185.215.113.16
95.179.250.45:26212
65.21.18.51:45580
http://185.215.113.17
analforeverlovyu.top
sevtv17ht.top
fivev5ht.top
http://91.202.233.158
185.215.113.67:15206
https://millyscroqwp.shop/api
https://condedqpwqm.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9e9494e2-ea0a-4637-a1c7-4d39a8411794
Unpacked files
SH256 hash:
28c3b795debbff981ccd6733d6156f6e097ea878f99a6cae500194b20eee84b5
MD5 hash:
52ac70381a2cf88e00fa30e8a4997dcc
SHA1 hash:
4c31f7f5855cb4db29d13d67313f5b4b2c3f2242
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/af962e8b-754e-40fb-bced-346c2ce3db8b/
SH256 hash:
c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982
MD5 hash:
6e66aea8d0d6a8e404ccc60bb32a99f3
SHA1 hash:
651a6272114a9ef6ed3039a5da41a1f0bfb03e9e
Link:
https://www.unpac.me/results/af962e8b-754e-40fb-bced-346c2ce3db8b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1fbe1e578d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3138946/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments