MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7be8c46221ad3abb42023dacbfd9c2e6c5a229284b1c6d37ba916c207d667fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7be8c46221ad3abb42023dacbfd9c2e6c5a229284b1c6d37ba916c207d667fd
SHA3-384 hash: f6f07c2a796e4d91883923771416559ef1e11f016c33ad9a2c5ecaa018676fbc727f174318b35ded2551d28979a89a75
SHA1 hash: 5d92a17e91b1cc5aed372419b72c639042da2e76
MD5 hash: 6023a9fae0226fb52b9844d74eb9411b
humanhash: whiskey-utah-oranges-fourteen
File name:6023a9fae0226fb52b9844d74eb9411b
Download: download sample
Signature Amadey
Create hunting rule
File size:378'368 bytes
First seen:2021-12-05 23:57:19 UTC
Last seen:2021-12-06 03:14:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5da563873972430c247e0379344310f5 (6 x RedLineStealer, 2 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 6144:ttsC5Ey/Dal2/V+zFsUTr+EAO5e+LaZPBp0kIeqduQ6JX:ttsCOyrzMedEAO5e+La/2kIeMw
Threatray 201 similar samples on MalwareBazaar
TLSH T1D084AE10B7E0C035F1F313F889B593A8B93E7AA1A76494CF22D516EA56756E1EC3031B
File icon (PE):PE icon
dhash icon b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
438
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6023a9fae0226fb52b9844d74eb9411b
Verdict:
Malicious activity
Analysis date:
2021-12-06 00:01:08 UTC
Tags:
trojan amadey rat redline
Link:
https://app.any.run/tasks/944a9960-c723-4b2c-9aaf-0d25045d7c3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211559/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.81096.28191.26305.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Adding an access-denied ACE
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a window
Delayed reading of the file
DNS request
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/980/overview
Behaviour
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer glupteba greyware packed
Link:
https://www.filescan.io/uploads/61ad520dfa72c81b5b0d75d5/reports/86affd6a-5137-407d-be94-a642e50fa743/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLineStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3288548c-c6ca-4656-b72f-83b7d67c89d9
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901876
Signature
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sigma detected: Conti Backup Database
Sigma detected: Disable or Delete Windows Eventlog
Sigma detected: PowerShell SAM Copy
Sigma detected: Suspicious PowerShell Invocations - Generic
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534354 Sample: SVFD384LS5 Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected Amadeys stealer DLL 2->67 69 8 other signatures 2->69 8 SVFD384LS5.exe 4 2->8         started        12 tkools.exe 2->12         started        14 tkools.exe 2->14         started        process3 file4 51 C:\Users\user\AppData\Local\...\tkools.exe, PE32 8->51 dropped 71 Detected unpacking (changes PE section rights) 8->71 73 Detected unpacking (overwrites its own PE header) 8->73 75 Contains functionality to inject code into remote processes 8->75 16 tkools.exe 14 8->16         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        24 2 other processes 8->24 signatures5 process6 dnsIp7 53 185.215.113.35, 49769, 49770, 80 WHOLESALECONNECTIONSNL Portugal 16->53 55 Multi AV Scanner detection for dropped file 16->55 57 Detected unpacking (changes PE section rights) 16->57 59 Detected unpacking (overwrites its own PE header) 16->59 61 2 other signatures 16->61 26 cmd.exe 1 16->26         started        28 schtasks.exe 1 16->28         started        30 conhost.exe 20->30         started        38 2 other processes 20->38 32 conhost.exe 22->32         started        40 2 other processes 22->40 34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        42 2 other processes 24->42 signatures8 process9 process10 44 reg.exe 1 26->44         started        47 conhost.exe 26->47         started        49 conhost.exe 28->49         started        signatures11 77 Creates an undocumented autostart registry key 44->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7be8c46221ad3abb42023dacbfd9c2e6c5a229284b1c6d37ba916c207d667fd/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 23:54:24 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
26 of 27 (96.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y67iyrrcdlj2xnbaepnmx7m4fzwfuiusqsy4nu33velmeb6wm76q._file
Verdict:
malicious
Similar samples:
250298a15ca5e40170a1feb8e639b12bbd591a448ebbfe5bc7574a1532596c46
Amadey
4f75795df9a479ac3958ad0120c45a52846772767fd41685d94a66bdf8cda3e8
Amadey
7b78f37ade729464194676ac2d6d35d400dedf985121a1e1c61383835da2159d
Amadey
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112
Amadey
9c2b3a7c5abdcd9cfbafc27cddcdd4054cea214e15d3a1666cf407d2479a1f7e
Amadey
acd7f67e0dcc0ccb219ce5406f180a217cc5b8adc3385fd87c95fe6f68fb29ed
Amadey
fb452b1488f00eb47c35b783125cb4ef2ef9c97e82ccda1c651ceaa3ee12a60e
Amadey
+ 191 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211205-3z6c8sfhb8/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Downloads MZ/PE file
Amadey
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.35/d2VxjasuwS/index.php
45.9.20.143:52345
Unpacked files
SH256 hash:
87c233cf81a1be07342c1f67dc40b71c95d39249674eac0fdfdf631754a9de42
MD5 hash:
39236aec7824a8f4fab52ac2ba318770
SHA1 hash:
70cb4c5092d786f9ba121a1d66dd6c3d4e732e9b
Link:
https://www.unpac.me/results/87fbb279-7808-4a8c-a8ed-121839ded2ed/
SH256 hash:
c7be8c46221ad3abb42023dacbfd9c2e6c5a229284b1c6d37ba916c207d667fd
MD5 hash:
6023a9fae0226fb52b9844d74eb9411b
SHA1 hash:
5d92a17e91b1cc5aed372419b72c639042da2e76
Link:
https://www.unpac.me/results/87fbb279-7808-4a8c-a8ed-121839ded2ed/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c7be8c46221a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7be8c46221ad3abb42023dacbfd9c2e6c5a229284b1c6d37ba916c207d667fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe c7be8c46221ad3abb42023dacbfd9c2e6c5a229284b1c6d37ba916c207d667fd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1856854/
Cape
Cape
https://www.capesandbox.com/analysis/211559/

Comments


Avatar
zbet commented on 2021-12-05 23:57:21 UTC

url : hxxps://e6tfvc.federguda.ru/a_2021-12-01_19-40.exe