MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d
SHA3-384 hash: 30274f9bb9dca8bf8ba23cb8b5f6f57fcc64db78adcdb242e85bf0f21c896d5c0f9b869c2fe85affd10f9304cee2bcb3
SHA1 hash: 71e89a6484a2d8f09070e4721c9fb0a266158ee7
MD5 hash: 330ad7af399d901653209fda7b8ba423
humanhash: alaska-march-may-football
File name:SecuriteInfo.com.Win32.PWSX-gen.18507.10357
Download: download sample
Signature Amadey
Create hunting rule
File size:1'891'840 bytes
First seen:2024-02-20 08:25:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:LXHKeJqWDMUHAVJ2jHo3f+EAVhUaLpggj0I:L3KsBDMUHACjiDadX0
Threatray 43 similar samples on MalwareBazaar
TLSH T17F9533A74FE768EAC17A0971847B9F6EB28583DC01CE89A3F46F112B13FF66530514A4
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476993/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18507.10357.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Launching the process to change network settings
Running batch commands
Connection attempt to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65d4623926f1ddc579a1ae94/reports/cebbc2e6-82ef-4458-a66d-d60b87667897/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NtHack
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ea0d669-60e8-44d3-8ef0-012da72ca6f3
Result
Threat name:
Amadey, RedLine, Remcos, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1395097
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected Remcos RAT
Yara detected RisePro Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1395097 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 20/02/2024 Architecture: WINDOWS Score: 100 155 Found malware configuration 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 Antivirus detection for dropped file 2->159 161 19 other signatures 2->161 9 explorgu.exe 3 63 2->9         started        14 dota.exe 2->14         started        16 SecuriteInfo.com.Win32.PWSX-gen.18507.10357.exe 5 2->16         started        18 6 other processes 2->18 process3 dnsIp4 137 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 9->137 139 91.215.85.209 PINDC-ASRU Russian Federation 9->139 141 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 9->141 99 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 9->99 dropped 101 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 9->101 dropped 103 C:\Users\user\AppData\...\lolololoMRK123.exe, PE32 9->103 dropped 113 35 other malicious files 9->113 dropped 213 Creates multiple autostart registry keys 9->213 215 Hides threads from debuggers 9->215 217 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->217 219 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->219 20 kiliqiuang.exe 9->20         started        23 ladas.exe 9->23         started        27 dota.exe 9->27         started        31 10 other processes 9->31 105 C:\Users\user\...\qtTk0wemgXCVziAM3Qm2.exe, PE32 14->105 dropped 107 C:\Users\user\...\oCsaGTIdsjofpmbIRu7Z.exe, PE32 14->107 dropped 109 C:\Users\user\...\mwjNn8LOVcjA_aWKmQ9h.exe, PE32 14->109 dropped 115 7 other malicious files 14->115 dropped 221 Tries to steal Mail credentials (via file / registry access) 14->221 223 Tries to harvest and steal browser information (history, passwords, etc) 14->223 111 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 16->111 dropped 225 Detected unpacking (changes PE section rights) 16->225 227 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->227 229 Tries to evade debugger and weak emulator (self modifying code) 16->229 231 Tries to detect virtualization through RDTSC time measurements 16->231 143 23.51.58.94 TMNET-AS-APTMNetInternetServiceProviderMY United States 18->143 145 127.0.0.1 unknown unknown 18->145 233 Multi AV Scanner detection for dropped file 18->233 235 Binary is likely a compiled AutoIt script file 18->235 237 Machine Learning detection for dropped file 18->237 29 chrome.exe 18->29         started        file5 signatures6 process7 dnsIp8 87 59 other files (57 malicious) 20->87 dropped 129 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 23->129 75 C:\Users\user\...\qUxvm5e0n3ngs_bnb14X.exe, PE32 23->75 dropped 77 C:\Users\user\...\oEV6ViiskhCYdCSqi5Bm.exe, PE32 23->77 dropped 79 C:\Users\user\...\Wkh8kzdi1dQmSwbe0mf0.exe, PE32 23->79 dropped 89 11 other malicious files 23->89 dropped 173 Binary is likely a compiled AutoIt script file 23->173 175 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->175 177 Tries to steal Mail credentials (via file / registry access) 23->177 193 4 other signatures 23->193 131 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 27->131 133 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 27->133 81 C:\Users\user\...\yz5_bT_o1BR5IjZoIxqb.exe, PE32 27->81 dropped 91 12 other malicious files 27->91 dropped 179 Found many strings related to Crypto-Wallets (likely being stolen) 27->179 181 Creates multiple autostart registry keys 27->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->183 185 Uses schtasks.exe or at.exe to add and modify task schedules 27->185 33 schtasks.exe 27->33         started        35 schtasks.exe 27->35         started        37 chrome.exe 29->37         started        135 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 31->135 83 C:\Users\user\AppData\Roaming\...\Keys.exe, PE32+ 31->83 dropped 85 C:\ProgramData\viewer\viewer.exe, PE32 31->85 dropped 187 System process connects to network (likely due to code injection or exploit) 31->187 189 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->189 191 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->191 195 7 other signatures 31->195 39 RegAsm.exe 31->39         started        42 rundll32.exe 23 31->42         started        45 RegAsm.exe 31->45         started        48 10 other processes 31->48 file9 signatures10 process11 dnsIp12 50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        93 C:\Users\user\AppData\Roaming\...\olehpsp.exe, PE32 39->93 dropped 95 C:\Users\user\AppData\Roaming\...\STAR.exe, PE32 39->95 dropped 54 STAR.exe 39->54         started        58 olehpsp.exe 39->58         started        197 Tries to steal Instant Messenger accounts or passwords 42->197 199 Uses netsh to modify the Windows network and firewall settings 42->199 201 Tries to harvest and steal ftp login credentials 42->201 209 2 other signatures 42->209 60 powershell.exe 42->60         started        63 netsh.exe 42->63         started        147 217.195.207.156 ASFIBERSUNUCUTR Turkey 45->147 97 C:\Users\user\AppData\Roaming\...\qemu-ga.exe, PE32 45->97 dropped 203 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->203 205 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->205 207 Drops PE files to the startup folder 45->207 211 2 other signatures 45->211 65 qemu-ga.exe 45->65         started        149 20.218.68.91 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->149 151 192.168.2.6 unknown unknown 48->151 153 239.255.255.250 unknown Reserved 48->153 67 chrome.exe 48->67         started        69 2 other processes 48->69 file13 signatures14 process15 dnsIp16 119 5.42.65.31 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 54->119 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->163 165 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->165 167 Tries to harvest and steal browser information (history, passwords, etc) 54->167 169 Tries to steal Crypto Currency Wallets 54->169 121 185.172.128.33 NADYMSS-ASRU Russian Federation 58->121 117 C:\Users\user\...\246122658369_Desktop.zip, Zip 60->117 dropped 171 Found many strings related to Crypto-Wallets (likely being stolen) 60->171 71 conhost.exe 60->71         started        73 conhost.exe 63->73         started        123 142.250.64.99 GOOGLEUS United States 67->123 125 142.250.80.100 GOOGLEUS United States 67->125 127 9 other IPs or domains 67->127 file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-20 08:26:25 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jhzxhab3jjba6q3gl2soiqifcqaml46gbgluvvd2rpug5yfj4oq._file
Verdict:
malicious
Similar samples:
4e3b1632008b15ff18717ee30e1209c4328f618232f85db9c1e4a8a418de02d8
Amadey
67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7
Amadey
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
Amadey
888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d
Amadey
8df70ba97904cf1e899bda09fa6738d1f063603ec6f8e92215e8dbf1fe501006
Amadey
b8683ab5e19e1364f139083751251979b116f2610c36a6bca39bda62a54c7fce
Amadey
da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828
Amadey
dbc4c04a9a7a559da5912ab482ce2a74704f700e7dcf134a647b3fe6e9b85518
Amadey
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
Amadey
+ 33 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc family:xmrig discovery evasion miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/240220-kbzxfadg4v/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Lumma Stealer
Stealc
xmrig
Malware Config
C2 Extraction:
http://185.215.113.32
http://185.172.128.79
https://triangleseasonbenchwj.shop/api
https://gemcreedarticulateod.shop/api
https://secretionsuitcasenioise.shop/api
https://claimconcessionrebe.shop/api
https://liabilityarrangemenyit.shop/api
https://mealroomrallpassiveer.shop/api
Unpacked files
SH256 hash:
939ea02fa8b8e501595ee1f82a62544fea1f0a58cb3a53bbd66769b9fb8fd835
MD5 hash:
0156045751620bbc902bfed81cfbbc59
SHA1 hash:
ae35ec5cee3a46fc5fc69ca56f43fe0c2e2daf3f
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/f01ee822-c0f7-44d3-bfe6-307c2f0819a1/
SH256 hash:
d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d
MD5 hash:
330ad7af399d901653209fda7b8ba423
SHA1 hash:
71e89a6484a2d8f09070e4721c9fb0a266158ee7
Link:
https://www.unpac.me/results/f01ee822-c0f7-44d3-bfe6-307c2f0819a1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d24f9b9c01da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe d24f9b9c01da52107a1b32f527220828a0062f9e304cba56a3d45f4377054f1d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2759927/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/
Cape
Cape
https://www.capesandbox.com/analysis/476993/

Comments