MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a
SHA3-384 hash: 1a86f7ee8cec70354ef77dcb26ffa457cd28511382ffd1c5b8d108f25dfe4f73a3613b79df4cefdf3d3741c40f9397ed
SHA1 hash: 10e3398ef36f65994ab7fa2d3ce689282803167c
MD5 hash: 0904ab799f20b48a0aae4fc53a975666
humanhash: blossom-uncle-sixteen-kentucky
File name:0904ab799f20b48a0aae4fc53a975666.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'859'584 bytes
First seen:2024-03-04 06:08:48 UTC
Last seen:2024-03-04 07:27:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:/37p+fIpGWYcUVvFmBzcFPx7LOSG/+OVHTqiN9cXStLh+7O3d346zo9IenCAtajH:/wfIEFc+NkwFRL6+qHllv+8zoqW2j
TLSH T1968533D27F184274D236A6FDC3938715EF2AA489EB356086789EE7D57F330ABD081019
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
375
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a.exe
Verdict:
Malicious activity
Analysis date:
2024-03-04 06:11:51 UTC
Tags:
amadey botnet stealer loader
Link:
https://app.any.run/tasks/455e7780-56d4-4704-b0fd-aa27a1e64a5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6559.13148.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65e5657f3b77ec652565153f/reports/cf5df06d-0a18-4f19-ace0-40170e907750/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/68347068-e478-4304-9c08-aba315f40617
Result
Threat name:
LummaC, Python Stealer, Amadey, LummaC S
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1402335
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1402335 Sample: 8uT94eNAur.exe Startdate: 04/03/2024 Architecture: WINDOWS Score: 100 132 resergvearyinitiani.shop 2->132 134 www.google.com 2->134 136 5 other IPs or domains 2->136 208 Snort IDS alert for network traffic 2->208 210 Multi AV Scanner detection for domain / URL 2->210 212 Found malware configuration 2->212 214 28 other signatures 2->214 10 explorgu.exe 1 66 2->10         started        15 8uT94eNAur.exe 5 2->15         started        signatures3 process4 dnsIp5 148 185.215.113.32, 49721, 49722, 49724 WHOLESALECONNECTIONSNL Portugal 10->148 150 185.215.113.45 WHOLESALECONNECTIONSNL Portugal 10->150 152 3 other IPs or domains 10->152 102 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->102 dropped 104 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->104 dropped 106 C:\Users\user\AppData\...\trust12344.exe, PE32 10->106 dropped 110 33 other malicious files 10->110 dropped 224 Detected unpacking (changes PE section rights) 10->224 226 Found many strings related to Crypto-Wallets (likely being stolen) 10->226 228 Creates multiple autostart registry keys 10->228 236 3 other signatures 10->236 17 juditttt.exe 10->17         started        21 alex12.exe 10->21         started        23 jokerpos.exe 10->23         started        25 12 other processes 10->25 108 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 15->108 dropped 230 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->230 232 Tries to evade debugger and weak emulator (self modifying code) 15->232 234 Tries to detect virtualization through RDTSC time measurements 15->234 file6 signatures7 process8 dnsIp9 86 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 17->86 dropped 88 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 17->88 dropped 90 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->90 dropped 98 32 other files (31 malicious) 17->98 dropped 190 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->190 28 stub.exe 17->28         started        192 Contains functionality to inject code into remote processes 21->192 194 Writes to foreign memory regions 21->194 196 Allocates memory in foreign processes 21->196 32 RegAsm.exe 21->32         started        35 conhost.exe 21->35         started        198 Injects a PE file into a foreign processes 23->198 37 RegAsm.exe 23->37         started        45 2 other processes 23->45 142 217.195.207.156, 47721, 49731 ASFIBERSUNUCUTR Turkey 25->142 144 37.120.237.196 SECURE-DATA-ASRO Romania 25->144 146 8 other IPs or domains 25->146 92 C:\Users\user\AppData\Local\...\INetC.dll, PE32 25->92 dropped 94 C:\Users\user\AppData\Local\...\nspF3E2.tmp, PE32 25->94 dropped 96 C:\Users\user\AppData\Local\...\nsb5CC9.tmp, PE32 25->96 dropped 100 6 other malicious files 25->100 dropped 200 Detected unpacking (changes PE section rights) 25->200 202 Detected unpacking (creates a PE file in dynamic memory) 25->202 204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->204 206 12 other signatures 25->206 39 RegAsm.exe 25->39         started        41 rundll32.exe 23 25->41         started        43 RegAsm.exe 25->43         started        47 11 other processes 25->47 file10 signatures11 process12 dnsIp13 154 ip-api.com 208.95.112.1 TUT-ASUS United States 28->154 156 127.0.0.1 unknown unknown 28->156 112 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 28->112 dropped 49 cmd.exe 28->49         started        51 cmd.exe 28->51         started        53 cmd.exe 28->53         started        66 2 other processes 28->66 114 C:\Users\user\AppData\Roaming\...\olehpsp.exe, PE32 32->114 dropped 116 C:\Users\user\AppData\Roaming\...\fate.exe, PE32 32->116 dropped 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->166 168 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->168 55 fate.exe 32->55         started        59 olehpsp.exe 32->59         started        158 94.156.8.100 NET1-ASBG Bulgaria 37->158 118 C:\Users\user\AppData\...\softokn3[1].dll, PE32 37->118 dropped 126 11 other files (7 malicious) 37->126 dropped 170 Tries to steal Mail credentials (via file / registry access) 37->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 37->172 174 Tries to steal Crypto Currency Wallets 37->174 120 C:\Users\user\AppData\...\softokn3[1].dll, PE32 39->120 dropped 122 C:\Users\user\AppData\...\mozglue[1].dll, PE32 39->122 dropped 124 C:\Users\user\AppData\...\freebl3[1].dll, PE32 39->124 dropped 128 3 other files (1 malicious) 39->128 dropped 176 Tries to harvest and steal Bitcoin Wallet information 39->176 178 Tries to steal Instant Messenger accounts or passwords 41->178 180 Uses netsh to modify the Windows network and firewall settings 41->180 182 Tries to harvest and steal ftp login credentials 41->182 184 Tries to harvest and steal WLAN passwords 41->184 61 powershell.exe 41->61         started        64 netsh.exe 2 41->64         started        160 37.27.52.220 UNINETAZ Iran (ISLAMIC Republic Of) 43->160 186 Tries to harvest and steal browser information (history, passwords, etc) 43->186 162 20.218.68.91, 49741, 7690 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 47->162 164 resergvearyinitiani.shop 172.67.217.100, 443, 49734, 49739 CLOUDFLARENETUS United States 47->164 188 Query firmware table information (likely to detect VMs) 47->188 file14 signatures15 process16 dnsIp17 68 conhost.exe 49->68         started        70 WMIC.exe 49->70         started        72 conhost.exe 51->72         started        74 WMIC.exe 51->74         started        84 2 other processes 53->84 138 185.172.128.33, 49737, 8970 NADYMSS-ASRU Russian Federation 55->138 216 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->216 218 Found many strings related to Crypto-Wallets (likely being stolen) 55->218 220 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 55->220 140 5.42.65.31 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 59->140 222 Tries to steal Crypto Currency Wallets 59->222 130 C:\Users\user\...\246122658369_Desktop.zip, Zip 61->130 dropped 76 conhost.exe 61->76         started        78 conhost.exe 64->78         started        80 conhost.exe 66->80         started        82 conhost.exe 66->82         started        file18 signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-03-04 03:27:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zv3golcm4dukgveelx7keosejl627mpgvdusjkn5hjkohqaatina._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:risepro family:sectoprat family:zgrat botnet:@logscloudyt_bot botnet:livetraffic dave discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240304-gwf4aacf92/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Detects videocard installed
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Dave packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
RisePro
SectopRAT
SectopRAT payload
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.32
185.172.128.33:8970
20.218.68.91:7690
193.233.132.62
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
https://executivebrakeji.shop/api
Unpacked files
SH256 hash:
a47e8be318ae6b3dcf56aaf1231afc320b4f804dba2e31a95bfd0fcf38ecf9e5
MD5 hash:
5a348cf8b3047c6bcb99ba1e670765c2
SHA1 hash:
69fa17f19c97b9b739db6700719e8f7049587a72
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/e42557b2-0428-4d3d-bc31-44c967a8cb4e/
SH256 hash:
cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a
MD5 hash:
0904ab799f20b48a0aae4fc53a975666
SHA1 hash:
10e3398ef36f65994ab7fa2d3ce689282803167c
Link:
https://www.unpac.me/results/e42557b2-0428-4d3d-bc31-44c967a8cb4e/
Malware family:
RedLine.D
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd76672c4ce0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe cd76672c4ce0e8a354845dfea23a444afdafb1e6a8e924a9bd3a54e3c0009a1a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/
  
URLhaus
https://urlhaus.abuse.ch/url/2759927/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments