MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
SHA3-384 hash: 4a0e2d7ac9c5dbf96b9a98db844c8ba3f939ac9deb6753b1106a040a6f436b4c9d336589ac85aafc582b512021f48995
SHA1 hash: 58daf4a99c9c148f38b3e6173d5f7ac01bcfaf16
MD5 hash: 90c738cebe2f8dda5d53e777ad286a43
humanhash: idaho-massachusetts-blossom-happy
File name:90c738cebe2f8dda5d53e777ad286a43
Download: download sample
Signature Amadey
Create hunting rule
File size:2'414'592 bytes
First seen:2024-03-26 05:24:47 UTC
Last seen:2024-07-25 01:22:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:Trp/mzum6MFkh5lLEwloDrFHJ/PXbU2HSu8KiDDjCBrVaQWMZ00r:8zum6My14wmDrFH9XcuuDDGBxaU2a
TLSH T13BB53301F9CA52F2D208B5FDEF6FAAF91409BA304133D32E7C5A2B2429917765D4E718
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
551
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e.exe
Verdict:
Malicious activity
Analysis date:
2024-03-26 05:25:49 UTC
Tags:
amadey botnet stealer loader
Link:
https://app.any.run/tasks/60d363a6-76b4-4ddc-b6e6-212f8bf4d113

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Сreating synchronization primitives
Connection attempt to an infection source
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Enabling the 'hidden' option for files in the %temp% directory
Changing a file
Creating a window
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor packed packed
Link:
https://www.filescan.io/uploads/66025c31f1c80c2d4d57c664/reports/10e1853a-7612-4f42-9cd0-6d5c654b1d66/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9541ec9-d618-44f2-96e6-81387bcc0ab6
Result
Threat name:
Amadey, PureLog Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1415588
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious names
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Executable File Creation
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1415588 Sample: KW4EbKKLcF.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 100 82 ruspyc.top 2->82 96 Sigma detected: Register Wscript In Run Key 2->96 98 Snort IDS alert for network traffic 2->98 100 Multi AV Scanner detection for domain / URL 2->100 102 21 other signatures 2->102 12 KW4EbKKLcF.exe 1 3 2->12         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 file5 80 C:\Users\user\AppData\Roaming\Wtoldkft.exe, PE32 12->80 dropped 126 Creates HTML files with .exe extension (expired dropper behavior) 12->126 128 Creates multiple autostart registry keys 12->128 130 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->130 22 KW4EbKKLcF.exe 1 21 12->22         started        132 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->132 27 cmd.exe 16->27         started        29 cmd.exe 18->29         started        134 Antivirus detection for dropped file 20->134 136 Multi AV Scanner detection for dropped file 20->136 138 Machine Learning detection for dropped file 20->138 31 Wtoldkft.exe 20->31         started        33 Wtoldkft.exe 20->33         started        signatures6 process7 dnsIp8 84 ruspyc.top 85.114.96.4, 49705, 49707, 49709 FUSIONPS Palestinian Territory Occupied 22->84 86 163.5.215.125, 49706, 49708, 49710 EPITECHFR France 22->86 72 C:\Users\user\AppData\...\amadey-crypted.exe, PE32 22->72 dropped 74 C:\Users\user\...\amadey-crypted[1].exe, PE32 22->74 dropped 76 C:\Users\user\AppData\Local\...\cashama.cmd, DOS 22->76 dropped 120 Creates autostart registry keys with suspicious names 22->120 122 Creates multiple autostart registry keys 22->122 35 cmd.exe 2 22->35         started        38 amadey-crypted.exe 22->38         started        124 Renames powershell.exe to bypass HIPS 27->124 41 startup_str_705.bat.exe 27->41         started        43 conhost.exe 27->43         started        45 startup_str_705.bat.exe 29->45         started        47 conhost.exe 29->47         started        file9 signatures10 process11 file12 70 C:\Users\user\AppData\...\cashama.cmd.exe, PE32 35->70 dropped 49 cashama.cmd.exe 4 19 35->49         started        53 conhost.exe 35->53         started        104 Antivirus detection for dropped file 38->104 106 Multi AV Scanner detection for dropped file 38->106 108 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 38->108 110 Contains functionality to inject code into remote processes 38->110 112 Powershell is started from unusual location (likely to bypass HIPS) 41->112 114 Reads the Security eventlog 41->114 116 Reads the System eventlog 41->116 signatures13 process14 file15 66 C:\Users\user\AppData\...\startup_str_705.vbs, ASCII 49->66 dropped 68 C:\Users\user\AppData\...\startup_str_705.bat, DOS 49->68 dropped 88 Command shell drops VBS files 49->88 90 Creates multiple autostart registry keys 49->90 92 Powershell is started from unusual location (likely to bypass HIPS) 49->92 94 2 other signatures 49->94 55 wscript.exe 49->55         started        signatures16 process17 signatures18 118 Windows Scripting host queries suspicious COM object (likely to drop second stage) 55->118 58 cmd.exe 55->58         started        process19 file20 78 C:\Users\user\...\startup_str_705.bat.exe, PE32 58->78 dropped 61 startup_str_705.bat.exe 58->61         started        64 conhost.exe 58->64         started        process21 signatures22 140 Powershell is started from unusual location (likely to bypass HIPS) 61->140 142 Reads the Security eventlog 61->142 144 Reads the System eventlog 61->144
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-03-25 05:03:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2d37wbyalkyvdn3kwdgz6w2fu7jrt6zsomceyl23m2sjdrqwd6pa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/240326-f4aqssdb84/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Detect ZGRat V1
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Unpacked files
SH256 hash:
5f47468b7d849c3d3b49146f199c19bf8eafec9ee48c1ab14b1529c2e066d009
MD5 hash:
a588f424ba421b04bddd4445e1c8a68a
SHA1 hash:
fd2e032083f743216efc9c5e07dd964ce84508ac
Link:
https://www.unpac.me/results/775fdc00-aa49-4b2e-b15c-434a1d9c0ed9/
SH256 hash:
d128dcc8aa65e1a241808335b55b7166ff9ca3ec472d8348376b2b5df881e25e
MD5 hash:
da87983222a9d30d9e2695b5a3e219be
SHA1 hash:
60777a16bfbbba17ad8f7862fd2e9c9948ae39b5
Link:
https://www.unpac.me/results/775fdc00-aa49-4b2e-b15c-434a1d9c0ed9/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/775fdc00-aa49-4b2e-b15c-434a1d9c0ed9/
SH256 hash:
4aff76dbf54311f2bcf0b6814f26d3c558061fd4b3c360b83c4e6bb2df3f6dc7
MD5 hash:
1796c588eaac8165d0977ea613deced2
SHA1 hash:
2dc34d0596ebfb2f750dd65fd71e4b8c4777300b
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/775fdc00-aa49-4b2e-b15c-434a1d9c0ed9/
Parent samples :
5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
573af37432fd9cd8881a41511d518ff2415c0e0273ffa63c0d17fc9841b01254
SH256 hash:
4f06f0b53e5e630313a38565f1bc3a3a2c1f685b0084b1d9f039f962fb773dd1
MD5 hash:
36223e94995939264066e20556ac7de4
SHA1 hash:
0748afd60e4807813a0ae5bc1dc8f78b41682253
Link:
https://www.unpac.me/results/775fdc00-aa49-4b2e-b15c-434a1d9c0ed9/
SH256 hash:
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
MD5 hash:
90c738cebe2f8dda5d53e777ad286a43
SHA1 hash:
58daf4a99c9c148f38b3e6173d5f7ac01bcfaf16
Link:
https://www.unpac.me/results/775fdc00-aa49-4b2e-b15c-434a1d9c0ed9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2792744/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-03-26 05:24:48 UTC

url : hxxp://193.233.132.167/lend/amadycry.exe