MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA3-384 hash: 614fe9503ab8223840d3148cb684a792be5638a5201db8b3fc0854cce5a1ed491ed220e412b0d0bd6a44eb7485047d3c
SHA1 hash: 004c581ea52c199b9aa3150f282aeb99d79104cc
MD5 hash: c2ca868ecfdd5ee7a6d4143890a29872
humanhash: foxtrot-arizona-beer-triple
File name:c2ca868ecfdd5ee7a6d4143890a29872
Download: download sample
Signature Amadey
Create hunting rule
File size:646'144 bytes
First seen:2023-08-05 14:01:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:i23s5mTknITB0mEN/yMNDljDKZn5A2t1CNW:VzTBYKMNJuk2t1CN
Threatray 2'359 similar samples on MalwareBazaar
TLSH T1A7D48C0DB8FCD053DAD19B3D80B0C677923631816834CA7C5F4597A63C58A89A79EB2F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-08-05 13:04:42 UTC
Tags:
loader smoke trojan ransomware stop stealer vidar arkei rat redline payload fabookie amadey
Link:
https://app.any.run/tasks/69f2ff17-96c4-4e32-b500-fbaf7f5fa1c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440833/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.9891.23866.30174.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Connecting to a non-recommended domain
Sending an HTTP POST request
Adding an access-denied ACE
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/64ce565be1d5367a534ba03d/reports/f11f89db-62d4-4adc-b63d-2057a3193f9d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c53884a-7b91-4668-8ae8-a046e43ef08b
Result
Threat name:
Amadey, Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1286481
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286481 Sample: h8wVZ8hLjA.exe Startdate: 05/08/2023 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 10 other signatures 2->67 9 h8wVZ8hLjA.exe 4 2->9         started        12 yiueea.exe 2->12         started        14 yiueea.exe 2->14         started        16 yiueea.exe 2->16         started        process3 file4 47 C:\Users\user\AppData\...\latestplayer.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 9->49 dropped 18 latestplayer.exe 3 9->18         started        22 aafg31.exe 14 9->22         started        process5 dnsIp6 43 C:\Users\user\AppData\Local\...\yiueea.exe, PE32 18->43 dropped 69 Machine Learning detection for dropped file 18->69 71 Contains functionality to inject code into remote processes 18->71 25 yiueea.exe 13 18->25         started        51 us.imgjeoigaa.com 103.100.211.218, 49692, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 22->51 53 aa.imgjeoogbb.com 154.221.26.108, 49696, 49707, 49718 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 22->53 55 192.168.2.1 unknown unknown 22->55 45 C:\Users\...\8640ec3d97fe5ce49e63ab6bc3449e01, SQLite 22->45 dropped 73 Contains functionality to steal Chrome passwords or cookies 22->73 75 Tries to harvest and steal browser information (history, passwords, etc) 22->75 file7 signatures8 process9 dnsIp10 57 79.137.192.18, 49693, 49694, 49695 PSKSET-ASRU Russian Federation 25->57 59 aa.imgjeoogbb.com 25->59 77 Creates an undocumented autostart registry key 25->77 79 Machine Learning detection for dropped file 25->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 25->81 29 cmd.exe 1 25->29         started        31 schtasks.exe 1 25->31         started        signatures11 process12 process13 33 conhost.exe 29->33         started        35 cmd.exe 1 29->35         started        37 cmd.exe 1 29->37         started        41 4 other processes 29->41 39 conhost.exe 31->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b/
Threat name:
ByteCode-MSIL.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-05 14:02:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rablc4r3fswsmahwu4rgfyewo65olugjnnnyhaoembbhlgt3f5q._file
Verdict:
malicious
Similar samples:
16bba5264817b4ada8bb227f8089b237396874620cc658ff62438420a79260ea
Amadey
23392bff27ee35d1741c5e8ebeeca33695510b025ef71e1eb0131cb82b6b26ed
Amadey
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
Amadey
808ff54f7fb199adb18413322e1e530742522cc083d5e1706c872b99a879439d
Amadey
8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9
Amadey
8ec5209142f132a1809313d6c91fbf1f0186f5a2561e7d207e4aa4619aa2270d
Amadey
b3216b636dd338d24b69c9ad859f96a3f2692f1fe642292d45a433faf0613688
Amadey
c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf
Amadey
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
Amadey
f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
Amadey
+ 2'349 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:glupteba family:smokeloader botnet:up3 backdoor dropper evasion loader persistence rootkit spyware stealer trojan
Link:
https://tria.ge/reports/230805-rb4nysee3y/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Amadey
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
SmokeLoader
Windows security bypass
Malware Config
C2 Extraction:
79.137.192.18/9bDc8sQ/index.php
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
MD5 hash:
c2ca868ecfdd5ee7a6d4143890a29872
SHA1 hash:
004c581ea52c199b9aa3150f282aeb99d79104cc
Link:
https://www.unpac.me/results/36862730-3f48-4613-831d-3491a72d8535/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d440158b91d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_rc4
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2699318/
Cape
Cape
https://www.capesandbox.com/analysis/440833/

Comments


Avatar
zbet commented on 2023-08-05 14:01:39 UTC

url : hxxp://79.137.192.18/wowo.exe