MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca6d95e7f749f7ab89857bb4d2247a4ff286557a65f1aa63c02564b9e262bec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	ca6d95e7f749f7ab89857bb4d2247a4ff286557a65f1aa63c02564b9e262bec1
SHA3-384 hash:	9060d2dabd6ed01ee5239a99edc4a62b071bcc4b52e7160bd6c04e23579c6077f0d81d1fe0db87bb731f4e0c9f7e81e4
SHA1 hash:	ee73106d1c2e656e51319ef890dae7e4cef66ede
MD5 hash:	e1c689710a29b76479084a99fc9fd59d
humanhash:	earth-ack-apart-sink
File name:	file
Download:	download sample
Signature	Amadey Create hunting rule
File size:	339'968 bytes
First seen:	2022-12-06 04:15:28 UTC
Last seen:	2022-12-06 05:27:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b66bcdd169ea4dbb3d98b3a2c400830b (17 x Smoke Loader, 13 x Amadey, 1 x DanaBot)
ssdeep	3072:jBXVzSYl7Ut29+wmWR5/M/R2gfQOzpGHd6/C7B3QvTiEHPaSniVRvJTcpqgDyZVy:jll9+w4/jbA9J3OR5nIDchDyZVBVS
Threatray	3'225 similar samples on MalwareBazaar
TLSH	T13C74DF2176A0E5B2C08D39309D25D6A06ABBBC7254E1757737493E3E2EB17C07E2670E
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9a9acefecee6eaee (153 x Amadey, 147 x Smoke Loader, 25 x RedLineStealer)
Reporter	andretavare5
Tags:	Amadey exe

andretavare5

Sample downloaded from http://31.41.244.188/mula/tord.exe

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-06 04:18:47 UTC

Tags:

trojan amadey loader

Link:

https://app.any.run/tasks/fdb60297-8738-40ca-91e1-5d75e2e02372

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/343173/

Detection(s):

SecuriteInfo.com.Win32.BotX-gen.31616.23195.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Launching a process

Creating a file

Creating a window

Connecting to a non-recommended domain

Sending an HTTP POST request

Delayed reading of the file

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/638ec2049a505ad9423d91f9/reports/363dea07-ee53-4492-9b60-6dce6c06a0ac/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9a562eea-fab6-4729-9880-10af70cf6c5f

Result

Threat name:

Amadey

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1128608

Signature

Antivirus detection for dropped file

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Amadeys stealer DLL

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca6d95e7f749f7ab89857bb4d2247a4ff286557a65f1aa63c02564b9e262bec1/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-12-06 04:16:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zjwzlz7xjh32xcmfpo2nejd2j7zimvl2mxy2uy6aevsltytcx3aq._file

Verdict:

malicious

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey collection spyware stealer trojan

Link:

https://tria.ge/reports/221206-evta4scd21/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

Enumerates physical storage devices

Program crash

Accesses Microsoft Outlook profiles

Checks computer location settings

Loads dropped DLL

Reads local data of messenger clients

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Amadey

Detect Amadey credential stealer module

Malware Config

C2 Extraction:

62.204.41.6/p9cWxH/index.php

Unpacked files

SH256 hash:

be91543d87f31d5bab7129c8bc63646ccc7c6aacabfa527ef4642a386145334c

MD5 hash:

065ee41f9a4f66bd96f0448d68cc4178

SHA1 hash:

12cfe42b86f2f050cb40f75cd1bd1b1832e6aea7

Detections:

Amadey

Link:

https://www.unpac.me/results/f5b54e4d-98a7-41aa-b602-9d825b9e60a2/

Parent samples :

be91543d87f31d5bab7129c8bc63646ccc7c6aacabfa527ef4642a386145334c
4c2bae54ee075be22551847a7164b690259e1de0ebf5f1b087a1b8e8048ce8c6
644e89e25764a46b3743f05c76c812659a54155eeb03e088b703beb3e6c79d57
d4d5774f845060bdccd0d2c0dc3562c756f2d2db710b2d98a9a64e38c50871af
830a260196e880a40b7e9b5bbc386fb444091444e8108470794ea4d7353a982c
72a5dbc36f17ce80ba47ccdba7af4be5ed7952c05e508a0141f69ba50e314ea3
dfd76b1c473141b15a4baf62a1b7287e8bbb5a6f8b572fd5b0715b1c59b9a5e9
32b456036f8529ce265cf5e3052db2e75cd4664b5f9aa8479c7be280fd441f98
291f11a2833b6a0565177dcb4a1763359ef38c747674e6c6a4e1a8fe352079f6
1ae1f1309a696af2a7cfb162b4f845323d57ec2f311f4661e139f1fc691b8ae7
f3e3f61db622dac97d0718b7b53529c01c471a615d91421298b81bb371ce0ff3
f3ac93a33ea144bca2cd9eb1690b58e148543b3789decafc239493a7d67d258d
45ccafe8b2e87322f4b2f8573ffef37ae2b1dbcb8eaf9ba2eeab69926c961412
8235385780dd98e0ffe11a4337626c3ae08a547ff73919c37141e5ebfdc5c69f
d77b5d5f3e1ab50832ae231075bff9957bfc16d929b1a92ba27bb9d640e2e040
f377df95b16f2b952804bb02b577ada49384f1ee0ed4a1443425273011d1fc25
1756a727f20ac61f49c813fe8caaa835abd94a1ae08ed4f5d5b55b97d4276636
cfa2036836a523d7b681ba661916f812b642c15788b99cb9ba9469978b7cda81
551a90798ceceb1fe20a36cc5cf7196f7b9e643f1f4af084d47c17a1a92be58d
b134f10687e540116a092cdaff4745d7e66dc97f27053c366f98dc2b7e0b2982
b998567f48c5693bfae2f1473b2434904531d159f34f0dee73f3615fae1a26b9
2b7fafeb55864d996583e4ed6bcd58b65d92979eb51751cba91349d37a94ab9a
851559937b94463908fbb9cb995c2c304e4185e5e9251744a8930f322f9ee48d
811922d799fac7663caf357320230d2566c69244eb952a0b99f1970406642f79
6fcb9a1ac226a4e43506373677df79e0332bb0784613b8923f4f1d78986ce05e
01a1c8f298708130dd9bee5bd913ceb5c07d24f737a10c559ea9cca85d02c7f3
bcf3cb0540be3781764f342efc4170227389865487ad4fdf4427442b372ea3bf
395e03bcb4875ad690df92d2739bc8eb83386ea0d81ad93bcbf0f8386f690a77
6e7848859a59fd49204ae0b925ae2bfa3ae756ecb0fa8cd37c7136ae8f35990a
f1284374d447c3ea7160a8349c43589e16a939d5ef2d1c85c0510d4e5e032f4d
5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70
847ffa01e24defdd4f3e59e4843d498f02fe7230c640e8f5d48f1d71ccd416f8
7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
bca708f0ac1ce954e4fdbcf27112730830d335e4640adec4ce6c23826685c535
71c5ee4713808fde19a3b060846a2131fdecaa42c6526feea6112f96a228fc1a
ea132a10348d3b209b1c21388204c19940c7a174d45756500baf87d1a42bce49
6ffe17035f4e50a8f6c0984eb70ca7c2424c276c3eeed623b45c26fcdd69b56d
224bf7c3284227862919110caf3ad27fb32cc9e1a56b5caf4bd7b85be0a75624
1f2a80d5d23e63f348c5aaa589f2c004235e1fb6298caf91d1b25773381a8d58
ca6d95e7f749f7ab89857bb4d2247a4ff286557a65f1aa63c02564b9e262bec1
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
bb016708f2ac44b9a2c0d6b7c2943f5f3856071ff6d917545b2041cf9edb75d0
0e3769209fee0c10471cd4f7353546ff315922431c222d5db8a62c0e81c79881
c3a7472e1a24c996a28c3387df172469056a97a49a03375c6f810abe407bd062
58fae59abd3f8e0543e4649007349b046b0474897b5ba7cca9ff119717731fc3
e54ad234e5060b980c1644a84e9f61a289b60112c8710feeafe7bac76312b2a3
25d8d822697dcf5c7044f2b1c961cbea2382f002a46b3b04e0e06add85c5ff0a
98ec5e3780c99c97c3928fbc36f5ab0ab52b3aeda7b84e73be392c64619ee63c
7bf7f40badd3c29a70a55ba92e311234550cff7780aeb13c5826eeba983087da
460cefdbf462c9c703ef882a017d0e9ecf62d0ff1a9231608cf1b67eee9fccfa
b90c7d9d168610a335c86eabe79c74d0fdfc6ef5ebd17d1813b1fc1417b3019b
ea4612578a49d01cde8383c01738edae7d04af2a5994937f3ab9791b853129fa
292a684446c0aed9029b0ffafdb91a17a8790335467097c3280aa15e1ea299bf
f673b6cdca1d45e48c2937b7e2e58493d7b72e806f90302c2bf0d7344e95aa89
e6657fb698d637dfdfa9f775444fba7cdaa80016745ed0cd342f7aa07e176ad5
5466d0943a1847718121bd431d6ecbf3bfcd0d10fcc0d97cd559c5e99f4bf92e
ddb83ee8d5e32368454675c3817abd0bfcefd804c36dbcbcebc143a2256e193c
3ca83f296b847c27c4c15049d562ad4ef34258d299b564253bab014944c8b52f
fdd7648c6aefab2bbaa9bc90e6e3a3c881c8a7b3c8821a5e7d7c4f44c2978412
c095f9cf6a095a0527f135b650c53dbd648944623a7bb1d34543c15b349af819
35c21a9de2c39583425610ede17e282d00f8e8c7b2b528c18a9858b60057e80d
df4398e22f5c0d1cc8691b06effe1d734d3ca6383a7e1ba6ee3828e581600304
8470b3d28d3624d92e314ae15fcb01abeb96f964ec7612dca558fce314e8f33d
f0b75a0006d33ef9546f251fcaf6d69eccbc08f1b156b755c568aee47d279cb3
30320cd54d0d27e64b83c298c0dc740cff49b13e81dbb4d4bbe829100a0f9a0c
2312780f7e750b3aeb3c92d8404d002c29e8b5e63136a91d218a7130fe08ace3
d93202190abc0159d937ee33235f00430acfb6d877f332963ffc603cbab1ca0c

SH256 hash:

ca6d95e7f749f7ab89857bb4d2247a4ff286557a65f1aa63c02564b9e262bec1

MD5 hash:

e1c689710a29b76479084a99fc9fd59d

SHA1 hash:

ee73106d1c2e656e51319ef890dae7e4cef66ede

Link:

https://www.unpac.me/results/f5b54e4d-98a7-41aa-b602-9d825b9e60a2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ca6d95e7f749/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca6d95e7f749f7ab89857bb4d2247a4ff286557a65f1aa63c02564b9e262bec1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_amadey_a9f4 Create hunting rule
Author:	Johannes Bader
Description:	matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/343173/

URLhaus

https://urlhaus.abuse.ch/url/2439315/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample