MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835
SHA3-384 hash: e74e853067bfa28952c43b1e4776c53cd724138af07950db8bbd915478335e8fc94e7632de1f65dddd28dc3b3f75e94f
SHA1 hash: 1df1e8066fca31d34e60fdb40b0e3866f34ed941
MD5 hash: a7cd5139890144e22b955bc41174f22b
humanhash: pip-princess-pasta-diet
File name:a7cd5139890144e22b955bc41174f22b
Download: download sample
Signature Amadey
Create hunting rule
File size:1'906'688 bytes
First seen:2024-10-07 11:24:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:vaKXMe4nV8bZI6QqW3eBkqzCTaekGEkogC2UnxJmoui/Ffamrk5S7El8fUceRO4:RXMlau30O2ZYUgsFpOt88cQ
TLSH T1209533A95F515F94FC8BD939E5C8CDCCD384950BE9910899F81B40B0E0C6DF621AB8DB
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a7cd5139890144e22b955bc41174f22b
Verdict:
Malicious activity
Analysis date:
2024-10-07 11:52:01 UTC
Tags:
amadey botnet stealer opendir loader stealc themida lumma autoit
Link:
https://app.any.run/tasks/532065cd-b2e8-4865-8f5b-dec53109b5bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.28603.29381.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6703c511ebeac9e6805131a0
Tags:
Powershell Autorun Autoit Emotet
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6703c5153d3bba49f3dc8b53/reports/f118ce67-9935-4774-9fb9-1e54a776c379/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5d678007-57c6-4897-8341-a50ee3bf068c
Result
Threat name:
LummaC, Amadey, Credential Flusher, Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1527965
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Excessive usage of taskkill to terminate processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527965 Sample: xwZfYpo16i.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 89 sergei-esenin.com 2->89 91 licendfilteo.site 2->91 93 8 other IPs or domains 2->93 115 Suricata IDS alerts for network traffic 2->115 117 Found malware configuration 2->117 119 Antivirus detection for URL or domain 2->119 121 16 other signatures 2->121 9 skotes.exe 3 22 2->9         started        14 xwZfYpo16i.exe 5 2->14         started        16 skotes.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 105 185.215.113.43, 49904, 49920, 49951 WHOLESALECONNECTIONSNL Portugal 9->105 107 185.215.113.103, 49925, 50003, 50023 WHOLESALECONNECTIONSNL Portugal 9->107 77 C:\Users\user\AppData\...\4db5303091.exe, PE32 9->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\cb428cafc9.exe, PE32 9->81 dropped 87 3 other malicious files 9->87 dropped 151 Creates multiple autostart registry keys 9->151 153 Hides threads from debuggers 9->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->155 20 4db5303091.exe 9->20         started        24 cb428cafc9.exe 9->24         started        26 num.exe 13 9->26         started        83 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->83 dropped 85 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->85 dropped 157 Detected unpacking (changes PE section rights) 14->157 159 Tries to evade debugger and weak emulator (self modifying code) 14->159 161 Tries to detect virtualization through RDTSC time measurements 14->161 28 skotes.exe 14->28         started        163 Antivirus detection for dropped file 16->163 165 Machine Learning detection for dropped file 16->165 167 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->167 169 Binary is likely a compiled AutoIt script file 18->169 171 Excessive usage of taskkill to terminate processes 18->171 30 taskkill.exe 18->30         started        32 taskkill.exe 18->32         started        34 taskkill.exe 18->34         started        36 19 other processes 18->36 file6 signatures7 process8 dnsIp9 95 sergei-esenin.com 172.67.206.204, 443, 50031, 50043 CLOUDFLARENETUS United States 20->95 97 steamcommunity.com 104.102.49.254, 443, 50030, 50041 AKAMAI-ASUS United States 20->97 123 Antivirus detection for dropped file 20->123 125 Multi AV Scanner detection for dropped file 20->125 127 Detected unpacking (changes PE section rights) 20->127 147 2 other signatures 20->147 129 Binary is likely a compiled AutoIt script file 24->129 131 Machine Learning detection for dropped file 24->131 133 Found API chain indicative of sandbox detection 24->133 135 Excessive usage of taskkill to terminate processes 24->135 38 chrome.exe 8 24->38         started        42 taskkill.exe 1 24->42         started        44 taskkill.exe 1 24->44         started        54 3 other processes 24->54 99 185.215.113.37, 50012, 50035, 50048 WHOLESALECONNECTIONSNL Portugal 26->99 137 Found evasive API chain (may stop execution after checking locale) 26->137 139 Searches for specific processes (likely to inject) 26->139 141 Hides threads from debuggers 28->141 143 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->143 145 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 28->145 46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        56 18 other processes 36->56 signatures10 process11 dnsIp12 101 192.168.2.5, 138, 443, 49180 unknown unknown 38->101 103 239.255.255.250 unknown Reserved 38->103 149 Excessive usage of taskkill to terminate processes 38->149 58 chrome.exe 38->58         started        61 chrome.exe 38->61         started        63 chrome.exe 38->63         started        75 5 other processes 38->75 65 conhost.exe 42->65         started        67 conhost.exe 44->67         started        69 conhost.exe 54->69         started        71 conhost.exe 54->71         started        73 conhost.exe 54->73         started        signatures13 process14 dnsIp15 109 www3.l.google.com 142.250.184.206, 443, 50010 GOOGLEUS United States 58->109 111 youtube.com 142.250.185.110, 443, 49959 GOOGLEUS United States 58->111 113 5 other IPs or domains 58->113
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 11:25:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2alvikcepvewir7v7fadmz2evu5dadulgelkfj4fffu7vqgrfa2q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:9c9aa5 botnet:doma discovery evasion persistence stealer trojan
Link:
https://tria.ge/reports/241007-nh98jasfrr/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Lumma Stealer, LummaC
Stealc
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.37
Verdict:
Malicious
Tags:
amadey
YARA:
n/a
Link:
https://app.threat.zone/submission/3ab590a7-4204-4c26-91b9-bdbea7b46bd5
Unpacked files
SH256 hash:
1e7c72062c4154dbfa3b87065765e5081400fb7b357978b4b1b3ee788dd77bbd
MD5 hash:
597fb4bfcf429a75a7eea4572c99a563
SHA1 hash:
21ca157887ff98a0f947ede7f480bc184a05a714
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/32016879-5b3f-4ced-9f23-bb0c502755e7/
SH256 hash:
d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835
MD5 hash:
a7cd5139890144e22b955bc41174f22b
SHA1 hash:
1df1e8066fca31d34e60fdb40b0e3866f34ed941
Link:
https://www.unpac.me/results/32016879-5b3f-4ced-9f23-bb0c502755e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe d0175428447d496447f5f940366744ad3a300e8b3116a2a7852969fac0d12835

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3183445/
  
URLhaus
https://urlhaus.abuse.ch/url/3184067/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-10-07 11:24:14 UTC

url : hxxp://185.215.113.100/mine/random.exe