MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c394d2204e02ef3a37d2760d04aa64819fcf7bb5186764e5a48f052379b3a10c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c394d2204e02ef3a37d2760d04aa64819fcf7bb5186764e5a48f052379b3a10c
SHA3-384 hash: 39f9a60688bbb1e7f5405b0d17b8e7037f75c94e76c80d90613a3f64aaf26da8ebcda628c4f2e7a2267ef31a10bde1ec
SHA1 hash: 7c4cee2ac74f6fe145bad452edf9f4cf2ee0fd0c
MD5 hash: d6f260629545983f57e609d9ff0cc770
humanhash: eighteen-stream-hydrogen-jig
File name:d6f260629545983f57e609d9ff0cc770.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:384'512 bytes
First seen:2021-11-30 19:09:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bdaee7bf3d7f5fcbbe5fa5d59a50c909 (3 x RaccoonStealer, 3 x ArkeiStealer, 2 x RedLineStealer)
ssdeep 6144:4XFfKncOF8JAbcoLgFyXwzMpksLsNTPY0rdMUrmFc:4XEcOF8JAZ1wzcksQ9r+Urm
Threatray 187 similar samples on MalwareBazaar
TLSH T11784AE10A7A1C034F1B316F85A7593B8B93F7AA16B3890CF52D916E95638AE0FD31347
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://185.215.113.118/fkwdoXScn2/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.118/fkwdoXScn2/index.php https://threatfox.abuse.ch/ioc/256633/

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d6f260629545983f57e609d9ff0cc770.exe
Verdict:
Malicious activity
Analysis date:
2021-11-30 19:14:03 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/858e6cb3-c7ef-47f2-8d09-498694f3ed2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210067/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Creating a window
Delayed reading of the file
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer glupteba greyware packed smokeloader
Link:
https://www.filescan.io/uploads/61a6770feffcae2254f5cca1/reports/96a3f004-2a5f-4aae-abbe-ca820e66e341/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb312753-83e5-4f71-a86c-bcf9e3aae630
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898974
Signature
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531452 Sample: WhOlLmbVt2.exe Startdate: 30/11/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 3 other signatures 2->65 8 WhOlLmbVt2.exe 4 2->8         started        12 tkools.exe 2->12         started        14 tkools.exe 2->14         started        16 tkools.exe 2->16         started        process3 file4 53 C:\Users\user\AppData\Local\...\tkools.exe, PE32 8->53 dropped 75 Detected unpacking (changes PE section rights) 8->75 77 Detected unpacking (overwrites its own PE header) 8->77 79 Contains functionality to inject code into remote processes 8->79 18 tkools.exe 14 8->18         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        26 2 other processes 8->26 signatures5 process6 dnsIp7 55 185.215.113.118, 49758, 49759, 49760 WHOLESALECONNECTIONSNL Portugal 18->55 67 Multi AV Scanner detection for dropped file 18->67 69 Detected unpacking (changes PE section rights) 18->69 71 Detected unpacking (overwrites its own PE header) 18->71 73 2 other signatures 18->73 28 schtasks.exe 1 18->28         started        30 cmd.exe 1 18->30         started        32 cmd.exe 1 22->32         started        34 conhost.exe 22->34         started        36 cacls.exe 1 22->36         started        38 conhost.exe 24->38         started        42 2 other processes 24->42 40 conhost.exe 26->40         started        44 3 other processes 26->44 signatures8 process9 process10 46 conhost.exe 28->46         started        48 reg.exe 1 32->48         started        51 conhost.exe 32->51         started        signatures11 57 Creates an undocumented autostart registry key 48->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c394d2204e02ef3a37d2760d04aa64819fcf7bb5186764e5a48f052379b3a10c/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 16:45:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yokneicoalxtun6soygqjkteqgp4665vdbtwjzner4csg6ntuega._file
Verdict:
malicious
Similar samples:
2d495c79c56b525f230fbbb786d0b95ab3924dfcfc2ea3883882b257ab4263f3
Amadey
72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5
Amadey
7ac85575a5601ad9b71531eb84ada81207d07b29d8fe2e949d56222bd1594135
Amadey
9820500aae4c3b3b5ab38a63f9776a75cfb2203a20798682207aee9e6526aba8
Amadey
a1b0074cbd56956cc94e6161361f8f7407075f2903d14d082c1006f411bec90a
Amadey
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
Amadey
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e
Amadey
ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2
Amadey
+ 177 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey suricata trojan
Link:
https://tria.ge/reports/211130-xvd6asgahp/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Amadey
suricata: ET MALWARE Amadey CnC Check-In
Malware Config
C2 Extraction:
185.215.113.118/fkwdoXScn2/index.php
Unpacked files
SH256 hash:
a73702a190a9ccc1eea4c2a0195ee8b3acec13617151f027a247b14cba0e1e69
MD5 hash:
fdb9ea457bfecb3a8480a8f377fbe718
SHA1 hash:
7c0aa28013a959e89d7348eddbad86427db23221
Link:
https://www.unpac.me/results/a38c6352-2127-4646-b4d4-e9799f24a1bb/
SH256 hash:
c394d2204e02ef3a37d2760d04aa64819fcf7bb5186764e5a48f052379b3a10c
MD5 hash:
d6f260629545983f57e609d9ff0cc770
SHA1 hash:
7c4cee2ac74f6fe145bad452edf9f4cf2ee0fd0c
Link:
https://www.unpac.me/results/a38c6352-2127-4646-b4d4-e9799f24a1bb/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c394d2204e02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c394d2204e02ef3a37d2760d04aa64819fcf7bb5186764e5a48f052379b3a10c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210067/

Comments