MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598
SHA3-384 hash:	cd84b514164ae7926fe2210305d4a0fafd11d7ee04d5be94720015021894abfa768b768630de382ffece9ad1b132a0c7
SHA1 hash:	7543818d0a93c7494fa5246fdcbc6d940699f86b
MD5 hash:	dd404946a2ca5db2ffcaecd2b2388199
humanhash:	potato-helium-foxtrot-six
File name:	dd404946a2ca5db2ffcaecd2b2388199.exe
Download:	download sample
Signature	Amadey Alert Create hunting rule
File size:	796'160 bytes
First seen:	2023-06-03 11:45:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:jyJSEa/Lpi2zoBbTYgJv7TqDICBw6UbVoq:2Jgz4vBh/QIYw7xo
TLSH	T13105129373D84066ECB127F25CF216A30E36BDF1057897AB3746986F1EB2291653036B
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
83.97.73.126:19046

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

242

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

dd404946a2ca5db2ffcaecd2b2388199.exe

Verdict:

Malicious activity

Analysis date:

2023-06-03 11:47:39 UTC

Tags:

rat redline amadey trojan loader

Link:

https://app.any.run/tasks/c53afa8e-54d5-4850-8aaa-40ef5ebde94b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox RedLine

Detection:

RedLine

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/395142/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

Alert

Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Launching a service

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Unauthorized injection to a recently created process

Blocking the Windows Defender launch

Disabling the operating system update service

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/89196/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

advpack.dll anti-vm CAB greyware installer lolbin packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/647b27fb439c23db22490f8d/reports/e0f2dc82-8df4-49fa-8836-d32d581e393d/overview

Hybrid Analysis HEUR/AGEN.1305824

Verdict:

Malicious

Labled as:

HEUR/AGEN.1305824

Link:

https://www.hybrid-analysis.com/sample/cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Amadey

Malware family:

Amadey

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7764f73c-803d-4083-a6a2-24f33491567f

Joe Sandbox Amadey, RedLine

Result

Threat name:

Amadey, RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1248155

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Amadeys stealer DLL

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598/

ReversingLabs TitaniumCloud Win32.Trojan.RedLineStealer

Threat name:

Win32.Trojan.RedLineStealer

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-03 11:46:06 UTC

File Type:

PE (Exe)

Extracted files:

117

AV detection:

20 of 24 (83.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zx4dhwilygnd3yw6pztslnqo4tbc7vrpuj22yimlvyx5okca4wma._file

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline botnet:brain botnet:dusa discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230603-nxaffsge99/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

83.97.73.126:19046

UnpacMe redline Amadey HealerAVKiller

Unpacked files

SH256 hash:

7ec061a0b2a51c0f9c275ec2c0902c45f6a71ab970e66c7e24d6f4231f4d4da2

MD5 hash:

77b0350dd24335b97e38e5a53dbac982

SHA1 hash:

894d3610cb04c32f3a957e9b998bbe9c2d8676ee

Link:

https://www.unpac.me/results/582b85de-013d-4009-bc41-7954c7840200/

SH256 hash:

daed442a3ddbf31bc48526a7a93c573923c014bae06ac44bf2049b739a72cd6d

MD5 hash:

87fffb30dcff049f0e8cc932a9a6b323

SHA1 hash:

fa8de45eea3a136c0c92c7ac5378b9b8069e1f52

Detections:

redline

Alert

Create hunting rule

Link:

https://www.unpac.me/results/582b85de-013d-4009-bc41-7954c7840200/

Parent samples :

cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598
8ebdfe232d4dc11a79f43b420f9bd26e8d8e6c13dac0ddc1144c432c9e8c2db0
e9bc1461c10946308fa4a0fb16f274108d80c351068ca95b5698a5a51d3b6de7

SH256 hash:

d56ecceb820b84e64e07d913f97beb66f5d06fa8a0340100a824cd2fdac6458f

MD5 hash:

ec06445b4219b0a44c6fdb86b271d49a

SHA1 hash:

3c0ac2b458672c891197c2f413a3ab0ccb27c95a

Link:

https://www.unpac.me/results/582b85de-013d-4009-bc41-7954c7840200/

SH256 hash:

4990a4dbdca31ab1370a7c13129e4d9babc3023e0857cc06fc27272b82ff8f93

MD5 hash:

7eab45057d4b19b3b502a110f2b3dffd

SHA1 hash:

010ea7e642600ff70072e0406b1e264355043119

Detections:

Amadey

Alert

Create hunting rule

Link:

https://www.unpac.me/results/582b85de-013d-4009-bc41-7954c7840200/

Parent samples :

b0907592c41daab2935d800607033462c57c51aa3c1cd988aaf9c13c9c2ddc6b
9e62f416edd15fa68e734e71379188ecb5edc80e8ebd37fb31acd2a58e05e7ac
9816209effe1c3adeda70b2e28cd87f4fd74c61aa9487dcf037f00eeab9f8393
cded1e1e75ce2d506ce7223d894e1726c9a9b17fb727172ba68cb94770702c56
94a8206d3c9d14e05831b13bbda45a5cdff9d4a32ba9d4fc17f6a01fd976b12e
1ac9a4c7e4f6008f099af1dc88b00df6304fdae5f27e8aade1d757b0a20eb31d
cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598
60c410e59852be7e8b91f73a67b1f70f1059a827921df73d3f4b0e062ec5cc2c
dced09999f640c0a63a7a60fbefc685b5891c67336d7c88ca79cb74ad49068de
bc88f0b6c0d5675f7ed9b30bc01cab6ec8d39e2e80ba0ee01caab557c679c84a
aa6215e591b97e76a40393ddf3175d1c46dbedab9ab1282b00b0b0d7cd24f71b
85655400afd7f45818453b92d14f5bf91e0734abc6cf94de3301bfa08e5c9f72
7becbd225d65be7dfda500f924bfb9070d068ecf3a34f6ba490fa0e1ba6497f0
33cb98a8ac1563b26ba8ff842135d488fa2d3cdbdb7de0f05ca4fcac63155ff7
74b102111f7d344a2c0cb7a77d73c968aff7f6a4b67c3457643d9a61c12d2aef
5330f5956dda9f4531291237e81b4ed6d9a7321a936eecda109c3bede5e89140
1ec5ecec7452379c2d19c80bb25effff79414ab2faf5c32d0dada42e1935be50
8ebdfe232d4dc11a79f43b420f9bd26e8d8e6c13dac0ddc1144c432c9e8c2db0
c0cde7089d6c966e87c1f3bb030296c5618011644e7afa90c0849852b8f8f946
e9bc1461c10946308fa4a0fb16f274108d80c351068ca95b5698a5a51d3b6de7
d7e1af2362cb778e3ba97174915da73fcd8fb4df49363fb09267eb28db27e77b
c4400514befd38c4870a6adba9e55b862bb249d791fae3cc6aae2666bacf0f04
60bb3e66aead037051760813844818c37fd1194d1a1e285e25fc0ded8201d56f

SH256 hash:

0929aed00ea0291b4166a257b40ae2b0af076993d0bfba78fa41e82ad9933399

MD5 hash:

46b7002e9828fe04b958da3a1e9ab7a6

SHA1 hash:

720c30f4661621598b525666eb7b9cd6db3f86ca

Detections:

HealerAVKiller

Alert

Create hunting rule

Link:

https://www.unpac.me/results/582b85de-013d-4009-bc41-7954c7840200/

Parent samples :

c79a41202d72d2a6c8d58689ba8096ea126c588bff1f1696efc0eae3fed2986e
52295749526fdbff59e549e9480b5de8d4b3cde5a5a51722a9d61a7efb0ac05a
43e5fa47a5452314258e601a49b335ca684465a9a65788de662d3abf564a433f
ca3ae8596a43fab969da8cad4cc20a02cfd3ffd65dd2b1a05d2a404e281a9ac2
de69842d0b844c1b7d75ecc08050b9c35ab4c587c4eccef966b82df6c65c6be7
742e7df621fd61cc2634b0e4ffde3976c847fcfdc95348a4dff591eeedb3234d
6c751b88ec0494c0848a7b01904a38a5ccf46bb6901404b178a6d5b51f75b14f
723b82e93dd8feae6b17eb5a7577328b81303fc36fbb557dca29a9233b989486
203554d11cd8d9a8fcad90f71604ed56e55fc587e0f10528e3a711117106e097
df22d21151daa9e2c32fedfaf67ee7b13913f8a650153443dc3d2fbd9d8fa732
38e591ce57ce0e4237c7ae9a3097cbeafaa14800ba43f76e59205e41cbe12f16
e3bfd095dde915136422887e63f1fc3b5bde09f587ca98c9f6a00b06fc6e6256
c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad
8b00e8342d9c518441471b108c7a34bf2b5e3095d588ef085127079a6d82761d
3118bebd18a67e11e2780e62f0256e4be8c67b24f9fc1fbdb5c201cf6860c5af
d906130b9b1841c940b973ca80127f599247f877d31892bfabf4bade8b603c8e
5d805379d8c091cc9aabb17156df24becf5b1e3f15c2bcf5a55c7ef93f8d20e3
2e7bbc0fd717a4f9e31985dede8bfc127a8a21c9656f9b8dc8be02ed93eab93c
1cb72edc0f1a84fb53e7a921c94bc95648ac55675d149a961cbcbffe44e1c304
59808576771e48d1a31b076748d691ae039a856dc43765c73ec362fa754e6415
19c2391800ad2eebcf2d04f271e6e331d88c9f1bcaff62f5b02f1cccf9c4a7ff
06c8c0ee65c80247e4adb9b03dadfbd311de9ea01de5a8a349cc717528b7cd4f
678ace6d8456a0b5c3db92e8873dc01858bd98bc7a08f993db5bc754910e4499
cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598
e899b408f2cb7ba552bc1eabfa6ed858215dbfc2c3974196367ccdcb2a444ecc
7becbd225d65be7dfda500f924bfb9070d068ecf3a34f6ba490fa0e1ba6497f0
e9bc1461c10946308fa4a0fb16f274108d80c351068ca95b5698a5a51d3b6de7
d7e1af2362cb778e3ba97174915da73fcd8fb4df49363fb09267eb28db27e77b
71a35fe403a4e41182eb707e3a7d76821034b494551ee67432afd6e7fa82e864
a387529289f01378ad79a948e7989817510c8d0b5de04921f65d21309ddb8a3c
81d0f5a0e99bc1f96d20b5aa4e8168cc0e50d58af04fa0bf52625a9cf7731fa2
98b544cb9a160813bd7758ca417c4d458625a75f2fcbbc148c6fbd9bd7221cbe
50ee7ab95de8e4a91c87f0b161cd2cdb593f7083645511b2f012a8451e776903
bde590ce8aad046c624f2b8b588d872f905e7f12acf69d49eca7299f60c7b906
a973c5027fe4ab592558a1cbc9e69e4aba9795badd326d29a46c7029e975a16b
e363f52ff771a575a98e3fb0b711c9f54978ebfc9b3a119939a57ca545e67356
ceede3f9fd6591b7ddebd806034806085ad914dbea25723a5e08b11de5589879
e96dd0b309b24dcd980fd017ed7190631541e1c2190a5a428d1ee456d1e18f2f
8b6ae8309efba64783aa15aeb7b5aad7ab4071211139e6e119082840ca06e023
a328a4e8510854022165818038f1b0578aa34f483cd7f65c548f4e2b6d99ccb1

SH256 hash:

cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598

MD5 hash:

dd404946a2ca5db2ffcaecd2b2388199

SHA1 hash:

7543818d0a93c7494fa5246fdcbc6d940699f86b

Link:

https://www.unpac.me/results/582b85de-013d-4009-bc41-7954c7840200/

VMRay Amadey

Malware family:

Amadey

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cdf833d90bc1/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe cdf833d90bc19a3de2de7e6725b60ee4c22fd62fa275ac218bae2fd72840e598

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2644981/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/395142/