MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297
SHA3-384 hash: 9a3b34c24484b4c3062e3405a8d73c16d51c54fa78a63c892185b139ff95809d83e204bef7f21c55fcf3519b89f2a28d
SHA1 hash: 3842b3e918bdebdf78e6cf718f1478acf4793276
MD5 hash: a7744d285a50d0d39fd77d28c33251fa
humanhash: carpet-king-eighteen-tennessee
File name:a7744d285a50d0d39fd77d28c33251fa
Download: download sample
Signature Amadey
Create hunting rule
File size:1'605'120 bytes
First seen:2023-11-03 10:30:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:iy+ZMN6+C2QeEfonVHTpjQmbxfTYBjvH6rVxExUDymNtxpHVCllN:JYMAN6EfUVH1ZYBkEx8yOHvCl
TLSH T170752356D3CC965BE4B113F058FB42630237FE2399B0536B6250DA491C73D899AB1F2B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Launching cmd.exe command interpreter
Searching for synchronization primitives
Running batch commands
Adding an access-denied ACE
Searching for the browser window
DNS request
Behavior that indicates a threat
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Launching a service
Creating a file
Forced shutdown of a system process
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6544cbf6e7c0240939d38876/reports/d00c3c49-1aaf-4495-9679-40ab5becf252/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c99c1e0-02e8-459d-8188-047dc1170035
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336560
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336560 Sample: YhvR9pNaUt.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 196 api.ip.sb 2->196 228 Snort IDS alert for network traffic 2->228 230 Found malware configuration 2->230 232 Malicious sample detected (through community Yara rule) 2->232 234 21 other signatures 2->234 15 YhvR9pNaUt.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 explothe.exe 2->21         started        signatures3 process4 dnsIp5 192 C:\Users\user\AppData\Local\...\kG4BE37.exe, PE32 15->192 dropped 194 C:\Users\user\AppData\Local\...\7wM9Td59.exe, PE32 15->194 dropped 23 kG4BE37.exe 1 4 15->23         started        27 7wM9Td59.exe 15->27         started        198 127.0.0.1 unknown unknown 18->198 file6 process7 file8 164 C:\Users\user\AppData\Local\...\Fk4vB99.exe, PE32 23->164 dropped 166 C:\Users\user\AppData\Local\...\6YD8yQ5.exe, PE32 23->166 dropped 262 Antivirus detection for dropped file 23->262 264 Multi AV Scanner detection for dropped file 23->264 266 Machine Learning detection for dropped file 23->266 29 Fk4vB99.exe 1 4 23->29         started        33 6YD8yQ5.exe 23->33         started        268 Detected unpacking (overwrites its own PE header) 27->268 35 cmd.exe 27->35         started        signatures9 process10 file11 180 C:\Users\user\AppData\Local\...\nQ6Bm88.exe, PE32 29->180 dropped 182 C:\Users\user\AppData\Local\...\5yd1Km6.exe, PE32 29->182 dropped 296 Antivirus detection for dropped file 29->296 298 Multi AV Scanner detection for dropped file 29->298 300 Machine Learning detection for dropped file 29->300 37 nQ6Bm88.exe 1 4 29->37         started        41 5yd1Km6.exe 29->41         started        43 chrome.exe 35->43         started        46 chrome.exe 35->46         started        48 chrome.exe 35->48         started        50 8 other processes 35->50 signatures12 process13 dnsIp14 158 C:\Users\user\AppData\Local\...\hi0Gg07.exe, PE32 37->158 dropped 160 C:\Users\user\AppData\Local\...\4Nd715Bv.exe, PE32 37->160 dropped 256 Antivirus detection for dropped file 37->256 258 Multi AV Scanner detection for dropped file 37->258 260 Machine Learning detection for dropped file 37->260 52 hi0Gg07.exe 1 4 37->52         started        56 4Nd715Bv.exe 37->56         started        162 C:\Users\user\AppData\Local\...\explothe.exe, PE32 41->162 dropped 58 explothe.exe 41->58         started        222 192.168.2.6 unknown unknown 43->222 224 239.255.255.250 unknown Reserved 43->224 61 chrome.exe 43->61         started        63 chrome.exe 46->63         started        65 chrome.exe 48->65         started        67 chrome.exe 50->67         started        69 chrome.exe 50->69         started        71 5 other processes 50->71 file15 signatures16 process17 dnsIp18 150 C:\Users\user\AppData\Local\...\MZ8yO48.exe, PE32 52->150 dropped 152 C:\Users\user\AppData\Local\...\3RI93zp.exe, PE32 52->152 dropped 240 Antivirus detection for dropped file 52->240 242 Multi AV Scanner detection for dropped file 52->242 244 Machine Learning detection for dropped file 52->244 73 3RI93zp.exe 52->73         started        76 MZ8yO48.exe 1 4 52->76         started        246 Writes to foreign memory regions 56->246 248 Allocates memory in foreign processes 56->248 250 Injects a PE file into a foreign processes 56->250 79 AppLaunch.exe 56->79         started        214 77.91.124.1 ECOTEL-ASRU Russian Federation 58->214 154 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 58->154 dropped 156 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 58->156 dropped 252 Creates an undocumented autostart registry key 58->252 254 Uses schtasks.exe or at.exe to add and modify task schedules 58->254 82 cmd.exe 58->82         started        84 schtasks.exe 58->84         started        86 rundll32.exe 58->86         started        216 static.ads-twitter.com 61->216 218 t.co 104.244.42.5 TWITTERUS United States 61->218 220 38 other IPs or domains 61->220 file19 signatures20 process21 dnsIp22 270 Multi AV Scanner detection for dropped file 73->270 272 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 73->272 274 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 73->274 278 3 other signatures 73->278 88 explorer.exe 15 20 73->88 injected 176 C:\Users\user\AppData\Local\...\2QY2226.exe, PE32 76->176 dropped 178 C:\Users\user\AppData\Local\...\1oL82ud6.exe, PE32 76->178 dropped 93 1oL82ud6.exe 76->93         started        95 2QY2226.exe 76->95         started        226 77.91.124.86 ECOTEL-ASRU Russian Federation 79->226 276 Found many strings related to Crypto-Wallets (likely being stolen) 79->276 97 chrome.exe 79->97         started        99 cacls.exe 82->99         started        101 conhost.exe 82->101         started        103 cmd.exe 82->103         started        107 4 other processes 82->107 105 conhost.exe 84->105         started        file23 signatures24 process25 dnsIp26 200 185.196.9.171 SIMPLECARRIERCH Switzerland 88->200 202 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 88->202 204 4 other IPs or domains 88->204 168 C:\Users\user\AppData\Local\Temp\FEB7.exe, PE32 88->168 dropped 170 C:\Users\user\AppData\Local\Temp\F62.exe, PE32 88->170 dropped 172 C:\Users\user\AppData\Local\Temp\F56F.exe, PE32 88->172 dropped 174 5 other malicious files 88->174 dropped 280 System process connects to network (likely due to code injection or exploit) 88->280 282 Benign windows process drops PE files 88->282 109 CC19.exe 88->109         started        113 rundll32.exe 88->113         started        115 D39D.exe 88->115         started        117 cmd.exe 88->117         started        284 Multi AV Scanner detection for dropped file 93->284 286 Contains functionality to inject code into remote processes 93->286 288 Writes to foreign memory regions 93->288 119 AppLaunch.exe 9 1 93->119         started        290 Allocates memory in foreign processes 95->290 292 Injects a PE file into a foreign processes 95->292 121 AppLaunch.exe 12 95->121         started        124 AppLaunch.exe 95->124         started        294 Found many strings related to Crypto-Wallets (likely being stolen) 97->294 126 chrome.exe 97->126         started        128 AppLaunch.exe 99->128         started        file27 signatures28 process29 dnsIp30 184 C:\Users\user\AppData\Local\...\Mq4SO2Nr.exe, PE32 109->184 dropped 186 C:\Users\user\AppData\Local\...\6cB93pD.exe, PE32 109->186 dropped 302 Antivirus detection for dropped file 109->302 304 Machine Learning detection for dropped file 109->304 130 Mq4SO2Nr.exe 109->130         started        306 Multi AV Scanner detection for dropped file 115->306 134 chrome.exe 117->134         started        136 conhost.exe 117->136         started        138 chrome.exe 117->138         started        140 chrome.exe 117->140         started        308 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 119->308 310 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 119->310 312 Modifies windows update settings 119->312 314 2 other signatures 119->314 206 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 121->206 208 172.253.62.102 GOOGLEUS United States 126->208 210 172.253.62.99 GOOGLEUS United States 126->210 212 5 other IPs or domains 126->212 file31 signatures32 process33 file34 146 C:\Users\user\AppData\Local\...\mF7QY2xe.exe, PE32 130->146 dropped 148 C:\Users\user\AppData\Local\...\5NG73xx.exe, PE32 130->148 dropped 236 Antivirus detection for dropped file 130->236 238 Machine Learning detection for dropped file 130->238 142 mF7QY2xe.exe 130->142         started        signatures35 process36 file37 188 C:\Users\user\AppData\Local\...\Vv4Rh4tj.exe, PE32 142->188 dropped 190 C:\Users\user\AppData\Local\...\4yB341NV.exe, PE32 142->190 dropped 316 Antivirus detection for dropped file 142->316 318 Machine Learning detection for dropped file 142->318 signatures38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 10:31:05 UTC
File Type:
PE (Exe)
Extracted files:
227
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zneefn3hi5ctdvza6kbxznsuniy4p2j7r6ov6ull3quol2y7yklq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:redline family:smokeloader botnet:plost backdoor brand:paypal evasion infostealer persistence phishing rat trojan
Link:
https://tria.ge/reports/231103-mkc55sgc6x/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Detected potential entity reuse from brand paypal.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Amadey
DcRat
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/090ff237-4b17-4d45-a3c0-214713280526/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
5ac1926d744c3230e3341cc8d2e1476dd757460d4ae6f1166996242d7e7e6126
MD5 hash:
9be96789d93ac27d0243595eaf52a7af
SHA1 hash:
c459a729bb0e5d1ebe90a1993ba734e13dc769d6
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/090ff237-4b17-4d45-a3c0-214713280526/
SH256 hash:
98a7a96fb4216daee7b85d88472e26f819ba99f5fa871d17ff52a6c4cf010471
MD5 hash:
02d2d121586753ece97dc0f47bb0c9b5
SHA1 hash:
d6c35941e9f99315a9c77b0a8b59a8e091c804f9
Link:
https://www.unpac.me/results/090ff237-4b17-4d45-a3c0-214713280526/
SH256 hash:
fa75a1e33bb143ff5063203141993b69ed728bc35e2235cef541885d6ed030ba
MD5 hash:
2831243669592ce0143a1dfb03b81632
SHA1 hash:
e08b3d7d14dfbb8c7093d0319e71cfa785050305
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/090ff237-4b17-4d45-a3c0-214713280526/
Parent samples :
b13a57c400f6768b5d11c671dfa94414c1c1130f840575a19ff15121a0cd3c3a
cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297
SH256 hash:
51363ab27c3da7827b859b5ed59b36215af9273caea7471d1a6d1e17e9a23479
MD5 hash:
ee305cb00f860ac6b77e2956f0f4a8b9
SHA1 hash:
94e9efd2f2d983712685f76f81871f74e4277f6d
Link:
https://www.unpac.me/results/090ff237-4b17-4d45-a3c0-214713280526/
SH256 hash:
7d4feacc2b1e7ec3a24f384e0ead6d4f2689b9d07216b2599ba90cacea0f971c
MD5 hash:
919197d843102ed19834e0cb7e6d0be5
SHA1 hash:
8239e8696c51b979b2069582a272970f662e06dd
Link:
https://www.unpac.me/results/090ff237-4b17-4d45-a3c0-214713280526/
SH256 hash:
cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297
MD5 hash:
a7744d285a50d0d39fd77d28c33251fa
SHA1 hash:
3842b3e918bdebdf78e6cf718f1478acf4793276
Link:
https://www.unpac.me/results/090ff237-4b17-4d45-a3c0-214713280526/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb4842b76747/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe cb4842b767474531d720f2837cb6546a31c7e93f8f9d5f516bdc28e5eb1fc297

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2727421/

Comments