MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0ad69df11a21e8d38dc2d33a27645716fd7ed59fb16b6faa00930e9bc46fe2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	d0ad69df11a21e8d38dc2d33a27645716fd7ed59fb16b6faa00930e9bc46fe2b
SHA3-384 hash:	3d8af036cf9a9581b63848bf5601c5692d0b4182a8399fad5325de6a30542fc04b5b5cc0e59fd80c15c68911b2c34ee3
SHA1 hash:	904ea99c61ad73b330915bc4d200224f0195ba28
MD5 hash:	bbc3642091afaa00750aa4a3a846c9ae
humanhash:	venus-bravo-pasta-hotel
File name:	bbc3642091afaa00750aa4a3a846c9ae.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	399'360 bytes
First seen:	2022-12-04 10:45:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	209ee1f7e696f87cdfe678fea2cc9d25 (11 x Smoke Loader, 7 x Amadey)
ssdeep	6144:dctel/0HAYKxaym3yGCCnl+3ZTG6JNknMW2RqnR/Y:dcEl8HAYQy/uZTGmMMW3R/Y
Threatray	9'937 similar samples on MalwareBazaar
TLSH	T1A484E131BA71D472C69304748456DBA0AA3FF8325D6199CB37686B6EDE303D18B7231B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c11edecea6ac8ccc (199 x Amadey, 139 x Smoke Loader, 22 x RedLineStealer)
Reporter	abuse_ch
Tags:	Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

bbc3642091afaa00750aa4a3a846c9ae.exe

Verdict:

Malicious activity

Analysis date:

2022-12-04 10:48:43 UTC

Tags:

trojan amadey

Link:

https://app.any.run/tasks/ac6544b8-5eb8-4fd8-9734-65c19e27be17

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/342507/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Launching a process

Creating a window

Creating a file

Delayed reading of the file

Connecting to a non-recommended domain

Sending an HTTP POST request

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/638c7a6c55eb3470cd4fce82/reports/0046244b-20f9-4a89-b1b6-3796c3f59630/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1e0b310-20af-4691-be3a-b14241459f5d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d0ad69df11a21e8d38dc2d33a27645716fd7ed59fb16b6faa00930e9bc46fe2b/

Threat name:

Win32.Trojan.Vidar

Status:

Malicious

First seen:

2022-12-03 16:21:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 41 (63.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2cwwtxyruipi2og4fuz2e5sfofx5p3kz7mlln6vabeyotpcg7yvq._file

Verdict:

malicious

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey trojan

Link:

https://tria.ge/reports/221204-mtzqhafc81/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Amadey

Malware Config

C2 Extraction:

62.204.41.252/nB8cWack3/index.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/40bfd16d-0c48-4cba-9e0f-3bb32f7710e1

Unpacked files

SH256 hash:

93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e

MD5 hash:

b6957e4ed8fe1cd100b9b52dfefb9a7a

SHA1 hash:

f886edefe8980a61b730a998285a3086955cb800

Detections:

Amadey

Link:

https://www.unpac.me/results/da7e8aef-31dd-469a-be32-b6e221209b42/

Parent samples :

93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
f02844251b52e473847bb9433a6fc3b15036c2841b9e3c92e922102c44e3e6ee
894197e5c275eb7537858af6ee922a4cc4966f78b74954db74d16bdc9757ff5e
780e633b56607c091dcf8b6cdde49fc66d1a343c067369eac6d45c28247b0f06
8acf7c8ca42084601af93d03de127a693a38d4fbe9242acef0c93787a7abe143
ba046d1f3a1aebdf83958df97f96e73b1679878d8b13dde76489e422feb403de
062b38fe6d203437cf715f4a60c86373336563e72864a8aa9a7713541e6faa26
882de0a8592ca3333b590a4927c6e68378413290cbd90a230520d9c337505e50
32b669ab944868420ff7616b4ceae3cbb64dd60095d82f65dce686c03e1eebec
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
72352db1cd4ce31af163a6a5f4757573ccb355402a4bdc75383c22de35625394
5b4dc2a40520ff5e4a641ed7ec091e16fac0b3cda0baab56c91eea6648dc67fe
d0ad69df11a21e8d38dc2d33a27645716fd7ed59fb16b6faa00930e9bc46fe2b

SH256 hash:

d0ad69df11a21e8d38dc2d33a27645716fd7ed59fb16b6faa00930e9bc46fe2b

MD5 hash:

bbc3642091afaa00750aa4a3a846c9ae

SHA1 hash:

904ea99c61ad73b330915bc4d200224f0195ba28

Link:

https://www.unpac.me/results/da7e8aef-31dd-469a-be32-b6e221209b42/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d0ad69df11a2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d0ad69df11a21e8d38dc2d33a27645716fd7ed59fb16b6faa00930e9bc46fe2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.