MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485
SHA3-384 hash: 1d4a13afca6938f8494455542177f05de209fd15b0a026b4e3c55429077af4d5e01e853f2220b05991fc13fe3d4d83ad
SHA1 hash: d8923489857cb7d686a5d859f21e59cca7a5bf0f
MD5 hash: b00610a2a912123cbb74d8dab219799f
humanhash: vermont-early-foxtrot-tennessee
File name:file.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'534'784 bytes
First seen:2023-06-22 00:34:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:2SQMGZ9LjldUO1owqGRRyxjM15uRUSzRWfy:a5LJ9a1MDuRn1E
Threatray 2'856 similar samples on MalwareBazaar
TLSH T10026CD701DA3D2118EF7CD2FA9E56ED2949493B93E09DBBC8055C1AE164FBF0DA20E44
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Chainskilabs
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-06-22 00:37:32 UTC
Tags:
amadey trojan fabookie miner
Link:
https://app.any.run/tasks/2b12668d-1a41-4ca0-a598-d4f193a6156f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401508/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.9891.14541.22906.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Searching for the window
Launching a process
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Adding an access-denied ACE
Running batch commands
Query of malicious DNS domain
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/649397379d44d31f835c0bd7/reports/304860f1-856a-472d-823a-fbf3a880cee8/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de75f15f-5d51-4c70-aab8-718723623670
Result
Threat name:
Amadey, Fabookie, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259356
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Detected unpacking (creates a PE file in dynamic memory)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 892376 Sample: file.exe Startdate: 22/06/2023 Architecture: WINDOWS Score: 100 94 Snort IDS alert for network traffic 2->94 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 16 other signatures 2->100 9 file.exe 5 2->9         started        12 updater.exe 2->12         started        15 cmd.exe 2->15         started        17 9 other processes 2->17 process3 file4 72 C:\Users\user\AppData\Local\...\oldplayer.exe, PE32 9->72 dropped 74 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 9->74 dropped 76 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 9->76 dropped 78 C:\Users\user\AppData\Local\...\file.exe.log, CSV 9->78 dropped 19 oldplayer.exe 3 9->19         started        23 aafg31.exe 14 9->23         started        26 XandETC.exe 3 9->26         started        80 C:\Windows\Temp\aadgyxmr.tmp, PE32+ 12->80 dropped 82 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 12->82 dropped 130 Writes to foreign memory regions 12->130 132 Modifies the context of a thread in another process (thread injection) 12->132 134 Adds a directory exclusion to Windows Defender 12->134 144 2 other signatures 12->144 136 Uses cmd line tools excessively to alter registry or file data 15->136 138 Uses powercfg.exe to modify the power settings 15->138 140 Modifies power options to not sleep / hibernate 15->140 28 sc.exe 15->28         started        30 conhost.exe 15->30         started        36 9 other processes 15->36 142 Creates files in the system32 config directory 17->142 32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        38 21 other processes 17->38 signatures5 process6 dnsIp7 66 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 19->66 dropped 102 Antivirus detection for dropped file 19->102 104 Multi AV Scanner detection for dropped file 19->104 106 Machine Learning detection for dropped file 19->106 108 Contains functionality to inject code into remote processes 19->108 40 oneetx.exe 13 19->40         started        84 us.imgjeoigaa.com 154.221.19.146, 49692, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 23->84 86 as.imgjeoigaa.com 39.109.117.57, 49848, 49866, 50025 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 23->86 88 192.168.2.1 unknown unknown 23->88 68 C:\Users\...\a04c98656473761a1416e58af96b4876, SQLite 23->68 dropped 110 Detected unpacking (creates a PE file in dynamic memory) 23->110 112 Contains functionality to steal Chrome passwords or cookies 23->112 114 Tries to harvest and steal browser information (history, passwords, etc) 23->114 116 Contains functionality to modify clipboard data 23->116 44 taskkill.exe 1 23->44         started        46 taskkill.exe 23->46         started        70 C:\Program Files70otepad\Chrome\updater.exe, PE32+ 26->70 dropped 118 Adds a directory exclusion to Windows Defender 26->118 120 Modifies power options to not sleep / hibernate 28->120 file8 signatures9 process10 dnsIp11 90 5.42.65.80, 49693, 49694, 49695 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 40->90 92 as.imgjeoigaa.com 40->92 122 Antivirus detection for dropped file 40->122 124 Multi AV Scanner detection for dropped file 40->124 126 Creates an undocumented autostart registry key 40->126 128 2 other signatures 40->128 48 cmd.exe 1 40->48         started        50 schtasks.exe 1 40->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        signatures12 process13 process14 56 conhost.exe 48->56         started        58 cmd.exe 1 48->58         started        60 cmd.exe 1 48->60         started        64 4 other processes 48->64 62 conhost.exe 50->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 22:19:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
27 of 35 (77.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhn4kz5jozf4ry6254cu3olkpoahjmmfknypkwgs5zoylhtqkscq._file
Verdict:
malicious
Similar samples:
0bc3689575acffde20abb2ff8db97b9698b07fc0e2f64a04ef10dea26fe64d87
Amadey
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
Amadey
4b25ea36c2b25f78c82b2752760b9b667678d3ce95dc292929b570b50e8bcc57
Amadey
62df74714cd81842088313cb600f935d37a851b7faffba085303346877ff2a9f
Amadey
7910119f58b962d6826ee31e19ff5207f8cc5da7d11a03212a2ee38015dd3c54
Amadey
c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4
Amadey
ce07c76e83f9c3a7e9e22a265accb19f522a763c69a6085d220ed9b38ec9c6cf
Amadey
db6a96013bdb32a1b2b0a13f276ce211cccd906e73ec324573c2ed8be69bf2ab
Amadey
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
Amadey
+ 2'846 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:gcleaner family:glupteba family:smokeloader family:xmrig botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/230622-axcc6adb9v/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Detects videocard installed
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
Detect Fabookie payload
Fabookie
GCleaner
Glupteba
Glupteba payload
Modifies security service
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
5.42.65.80/8bmeVwqx/index.php
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485
MD5 hash:
b00610a2a912123cbb74d8dab219799f
SHA1 hash:
d8923489857cb7d686a5d859f21e59cca7a5bf0f
Link:
https://www.unpac.me/results/dc9b4e07-2b30-45f6-8b2d-ebb0839e3eec/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9dbc567a976/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe c9dbc567a9764bc8e3daef054db96a7b8074b1855370f558d2ee5d859e705485

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/401508/
  
URLhaus
https://urlhaus.abuse.ch/url/2647221/

Comments