MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf878de150bbfc29baab8635e159bb2733e63f1dbd954374258a55ee73982f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs 3 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf878de150bbfc29baab8635e159bb2733e63f1dbd954374258a55ee73982f0a
SHA3-384 hash: 1b98971723bf7899e1fdff241c812aec6c2f8573b044ab07462e893e72cfa7838774d5cf4de4176b7f907383bd46d2b5
SHA1 hash: fc6205c186b040cd6b2c30e1c4f161ec2eea2a47
MD5 hash: 0ccaba8f07f43baba600ee09864dd488
humanhash: bravo-massachusetts-uranus-ten
File name:setup_x86_x64_install.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:9'500'004 bytes
First seen:2021-11-13 17:38:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:J9nddqv9h1EAPp8puO1a/xvwZXvI9ncSDCHqo0oUPR8xYwr:JIDNPCuO1uxvwxvI9nFDCHD0NPR8xx
Threatray 693 similar samples on MalwareBazaar
TLSH T16FA633C654A11C08E7660272AE5D9E8146F4B43F02FD336D6FFBE0404E1C974BBA5BA6
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:Amadey exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.175/ https://threatfox.abuse.ch/ioc/247972/
91.121.67.60:51630 https://threatfox.abuse.ch/ioc/247979/
95.181.152.143:42599 https://threatfox.abuse.ch/ioc/247980/

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205465/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
barys overlay packed smokeloader
Link:
https://www.filescan.io/uploads/618ff8383edf00a722d24c7a/reports/7b466948-8855-4c62-becd-33023230d940/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/425ac3d0-fde4-4983-a6a9-336782a8dd5a
Result
Threat name:
Backstage Stealer Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888571
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 521044 Sample: setup_x86_x64_install.exe Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 76 194.87.138.114 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Russian Federation 2->76 78 5.9.162.45 HETZNER-ASDE Germany 2->78 80 8 other IPs or domains 2->80 100 Antivirus detection for URL or domain 2->100 102 Antivirus detection for dropped file 2->102 104 Antivirus / Scanner detection for submitted sample 2->104 106 20 other signatures 2->106 11 setup_x86_x64_install.exe 10 2->11         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->48 dropped 14 setup_installer.exe 23 11->14         started        process6 file7 50 C:\Users\user\AppData\...\setup_install.exe, PE32 14->50 dropped 52 C:\Users\user\AppData\...\Sat16dbfd538b0b.exe, PE32+ 14->52 dropped 54 C:\Users\user\AppData\...\Sat16af470129.exe, PE32 14->54 dropped 56 18 other files (12 malicious) 14->56 dropped 17 setup_install.exe 1 14->17         started        process8 signatures9 96 Adds a directory exclusion to Windows Defender 17->96 98 Disables Windows Defender (via service or powershell) 17->98 20 cmd.exe 17->20         started        22 cmd.exe 17->22         started        24 cmd.exe 17->24         started        26 10 other processes 17->26 process10 signatures11 29 Sat1600f41eca.exe 20->29         started        34 Sat1682c535a6fcb6e7.exe 22->34         started        36 Sat163af1aa81.exe 24->36         started        108 Adds a directory exclusion to Windows Defender 26->108 110 Disables Windows Defender (via service or powershell) 26->110 38 Sat169c60f22b8.exe 26->38         started        40 Sat1612020d5c.exe 26->40         started        42 Sat162b769f285d4a78.exe 26->42         started        44 4 other processes 26->44 process12 dnsIp13 82 45.142.182.152 XSSERVERNL Germany 29->82 84 136.144.41.58 WORLDSTREAMNL Netherlands 29->84 92 13 other IPs or domains 29->92 58 C:\Users\...\epC9PP_MViIYN8RkXofevRp2.exe, PE32 29->58 dropped 60 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 29->60 dropped 62 C:\Users\user\AppData\Local\...\loads3[1].exe, PE32 29->62 dropped 72 30 other files (8 malicious) 29->72 dropped 112 Antivirus detection for dropped file 29->112 114 Creates HTML files with .exe extension (expired dropper behavior) 29->114 116 Tries to harvest and steal browser information (history, passwords, etc) 29->116 118 Disable Windows Defender real time protection (registry) 29->118 120 Machine Learning detection for dropped file 34->120 122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->122 124 Checks if the current machine is a virtual machine (disk enumeration) 34->124 86 162.159.135.233 CLOUDFLARENETUS United States 36->86 64 C:\Users\user\...\Sat163af1aa81.exe.log, ASCII 36->64 dropped 66 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 36->66 dropped 68 C:\Users\user\AppData\...\Sat169c60f22b8.tmp, PE32 38->68 dropped 126 Obfuscated command line found 38->126 70 C:\Users\user\AppData\Local\...\tkools.exe, PE32 40->70 dropped 88 104.21.50.241 CLOUDFLARENETUS United States 42->88 74 2 other files (none is malicious) 42->74 dropped 90 208.95.112.1 TUT-ASUS United States 44->90 94 3 other IPs or domains 44->94 46 mshta.exe 44->46         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf878de150bbfc29baab8635e159bb2733e63f1dbd954374258a55ee73982f0a/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 17:39:05 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6dy3ykqxp6ctovlqy26cwn3e4z6mpy5xwkug5bfrjk6444yf4fa._file
Verdict:
malicious
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
Amadey
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
Amadey
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
Amadey
995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b
Amadey
b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2
Amadey
dc93634d2c551d6293e2d9f444610992ee0c84191496840d267239428f6114ff
Amadey
+ 683 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:media13111 aspackv2 backdoor evasion infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211113-v8ac6accbr/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Amadey
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Malware Config
C2 Extraction:
http://www.hhgenice.top/
185.215.113.45/g4MbvE/index.php
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
91.121.67.60:51630
https://koyu.space/@qmashton
Unpacked files
SH256 hash:
ed557a3a261f1ff6aecb1036012661315ff7ae62f034eb3f72ccc8d7120d8d8a
MD5 hash:
3d825949c0f753d4503a9a3040a1ee14
SHA1 hash:
dbf07aca76c591dc6f532296133012e3404fb6ec
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
6100569d13cf62a0bc207488c05c91ab8d605d42985c8bc21d2538179a961b43
MD5 hash:
ac31bf79a940db874d57f39bc4114468
SHA1 hash:
d89ee97ab9ffc6b95fa8a12dc2cd74b251de8b97
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
5f16067995606e4309c66d98bc7b12f2bc028df30f69146f19b267458d815a28
MD5 hash:
c53c0400081938dfc482e5cc5b3e8d12
SHA1 hash:
c059b28310298ff5adf6827c599b60553a59ddd5
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
544e67e044dafbf651dc08606d63ab2718024c986ab7e0e403246a1e3f32eb87
MD5 hash:
c084fd0820b600f3617d8d91e03fc88b
SHA1 hash:
ba1bdcd94e02b887d0911e5604ce0c8d13c026af
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
83985f4cebba39d823a4241ca37a114a569dd2afbae18083de4f7447bd001971
MD5 hash:
dddf54d0c61ff329a179725babc732d8
SHA1 hash:
a585135996c5805873d1f54a0de324145e49d280
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
683d8e12b74293bc1babb89ddaabb4be6c1876dd625cb0066791016bad93b07c
MD5 hash:
28b9ae4bcc15334712ecbb3b2a7b6dbe
SHA1 hash:
a2afdf3dd64749a1c57a3970c1ac28a2166276ad
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
7520baf0597e812bbc37a622f220d414824bbbf3ce887735041eacbe3cb9f443
MD5 hash:
78672a53d95561cd24bfd17d8fba651d
SHA1 hash:
38269b9f022a28e129070b7ea5f4abffc0e579b4
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
861048c0d4fd65a7baf3bd298401aba2e9bf3acf3e1994dfaa3c23b4b0cc2ec8
MD5 hash:
8e03eb8b01e30549320e5c90d8c0564a
SHA1 hash:
0e78ac5896d93d5399441a1395c012bbcf94bef9
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
93c4cba30e4e919db036ca03b25885094ff34caf6a52125dc5647c16c454e700
MD5 hash:
f0380d884cef856b846e2128714e63be
SHA1 hash:
a51466452c7ad1b604335cfcf00f6547ba326dfb
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
6384683488e8e18e7c9373f7bb8a7eb848aa0eeee98fb59438b8b801e56e0d9f
MD5 hash:
a8f66ab6f55001162f4762e5908e99d3
SHA1 hash:
889c55980195b30716e6058f5f3750d1cc3a71db
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
188da30341680680a23d42b909c202a6c0cc2acaec2df51a8c6eef9773f25088
MD5 hash:
d1b9b90bbab7ddd72d53bfd54431491f
SHA1 hash:
b15550cf6bebcf1f6c9b51bc930b2c4d1e4814a3
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
0db0bb7f9f3c7911896d1b4ef79aade4e9b8651acf8c2d9b56991c8fece594cc
MD5 hash:
d2ced2a5d282f53445e43950f3a85814
SHA1 hash:
dec46a07910e264da14c1381db01c4966d2fdb86
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
36c6f02f5c9c91bdc8ba11ea650dd34cd1f37f58d6a8971ded509a86b0c97e73
MD5 hash:
9e7a871b76eaeeb9192d607e4afb612d
SHA1 hash:
a6f54be6e4407ec2ae4df013269d94e6f6b8ebea
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
8a24eaf6cfdc8aadf66d8b49c9769becba72ab1e04d14aa784aa8eba4502a817
MD5 hash:
f99e57f7746d4cc980e3aabee479ac62
SHA1 hash:
bbdf0b81c5adcbb7b82f9e873648bfbf66cff129
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
cfe773194f78e643e1bc29aca55e60b5de63e805ac22b8c8624c857e2454fb5e
MD5 hash:
a8349add8a653fca45276d35ffa7c369
SHA1 hash:
c64ccb193c4ad44e3480135f4326e693025c0ebc
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
7b73553f41f78257637110437d308f700d1731d2589d56a6ca5446ea40d5355e
MD5 hash:
8676631a872d8887404716ba7c95b5c0
SHA1 hash:
41db19e74545bb35c0ee5e7acdc37c066a60c362
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
a752c3d387654355cca359099ed1219726305365ec90efc82179a1ed720a5285
MD5 hash:
ca6c8015b5359fc6888e36f9a576c071
SHA1 hash:
c167e5db9a0ddc76c2a795ab07d7572fbc121f7e
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
a93953e91e8f781f309ba843564317a80dc90b34ba17faa0a12c21aa5de12eb4
MD5 hash:
013907f827ddedc2c248f8c633795692
SHA1 hash:
f794b934781e5ca29f363a6ef411ec31c56ebf50
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
9525e42cf009c2a889e97f96400bffa1195c39c5eceefc7ab3546ca721be438b
MD5 hash:
0ac55247a03b7113d9edda7e0987c9c1
SHA1 hash:
fd99e58d2e193559bef6b547b06934bbb719a359
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
SH256 hash:
cf878de150bbfc29baab8635e159bb2733e63f1dbd954374258a55ee73982f0a
MD5 hash:
0ccaba8f07f43baba600ee09864dd488
SHA1 hash:
fc6205c186b040cd6b2c30e1c4f161ec2eea2a47
Link:
https://www.unpac.me/results/5e5ab1e2-d296-4e31-8e71-a03136dcd4ca/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205465/

Comments