MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da
SHA3-384 hash: 7880cd7ab738fc3077e123a917bd9b3c82d3a6c21590a403fa14e1bc2c0c1b37939fac8af4b99ec607b0b7ff2d69e311
SHA1 hash: 192d42239bd350e7e17397b9f093712a2ddeab95
MD5 hash: 57e74b54fbd924c32036d79a78dc462c
humanhash: connecticut-quebec-zebra-low
File name:SecuriteInfo.com.Win32.PWSX-gen.17762.9680
Download: download sample
Signature Amadey
Create hunting rule
File size:1'906'688 bytes
First seen:2024-02-06 14:22:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:TA2XOBPF3u7OyQ/6gCDiCheiqe81hSC0:TxeBZ1/lpCheSQhSC0
TLSH T1919533003159224AD8A717B4FE3140D73DFDEE8991AF8F5AF2F221AD8F376429D98814
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da.exe
Verdict:
Malicious activity
Analysis date:
2024-02-06 14:23:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d800c35c-0d2a-4903-a242-a1d7a8e7247e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474880/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17762.9680.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm masquerade packed
Link:
https://www.filescan.io/uploads/65c240c819fc38091424591f/reports/be43b449-9604-4bce-aace-be54159c2f09/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/22923bac-d980-4e28-bf60-5f082ca88c25
Result
Threat name:
LummaC, Amadey, Fabookie, Glupteba, Pure
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387584
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Fabookie
Yara detected Glupteba
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387584 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 128 secretionsuitcasenioise.shop 2->128 130 mealroomrallpassiveer.shop 2->130 132 5 other IPs or domains 2->132 188 Snort IDS alert for network traffic 2->188 190 Multi AV Scanner detection for domain / URL 2->190 192 Found malware configuration 2->192 194 22 other signatures 2->194 11 explorgu.exe 39 2->11         started        16 SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe 5 2->16         started        18 qemu-ga.exe 2->18         started        signatures3 process4 dnsIp5 138 185.215.113.32, 49699, 49700, 49702 WHOLESALECONNECTIONSNL Portugal 11->138 140 109.107.182.3, 49705, 49719, 49722 TELEPORT-TV-ASRU Russian Federation 11->140 142 2 other IPs or domains 11->142 118 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 11->118 dropped 120 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 11->120 dropped 122 C:\Users\user\AppData\Local\Temp\...\alex.exe, PE32 11->122 dropped 126 15 other malicious files 11->126 dropped 234 Multi AV Scanner detection for dropped file 11->234 236 Detected unpacking (changes PE section rights) 11->236 238 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->238 246 4 other signatures 11->246 20 dayroc.exe 11->20         started        24 alex.exe 11->24         started        26 Goldprime.exe 2 11->26         started        28 6 other processes 11->28 124 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 16->124 dropped 240 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->240 242 Tries to evade debugger and weak emulator (self modifying code) 16->242 244 Tries to detect virtualization through RDTSC time measurements 16->244 file6 signatures7 process8 dnsIp9 100 C:\Users\user\AppData\Local\...\toolspub1.exe, PE32 20->100 dropped 102 C:\Users\user\AppData\Local\Temp\rty25.exe, PE32+ 20->102 dropped 104 C:\...\d21cbe21e38b385a41a68c5e6dd32f4c.exe, PE32 20->104 dropped 106 C:\Users\user\...\InstallSetup_nine.exe, PE32 20->106 dropped 196 Multi AV Scanner detection for dropped file 20->196 31 InstallSetup_nine.exe 20->31         started        36 d21cbe21e38b385a41a68c5e6dd32f4c.exe 20->36         started        38 toolspub1.exe 20->38         started        40 rty25.exe 20->40         started        198 Writes to foreign memory regions 24->198 200 Allocates memory in foreign processes 24->200 202 Injects a PE file into a foreign processes 24->202 42 RegAsm.exe 24->42         started        204 Contains functionality to inject code into remote processes 26->204 44 RegAsm.exe 26->44         started        46 conhost.exe 26->46         started        144 80.79.4.61 SISTEMEMD Moldova Republic of 28->144 146 45.15.156.209, 40481, 49727 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 28->146 206 System process connects to network (likely due to code injection or exploit) 28->206 208 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->208 210 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->210 212 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->212 48 rundll32.exe 25 28->48         started        50 3 other processes 28->50 file10 signatures11 process12 dnsIp13 148 185.172.128.109 NADYMSS-ASRU Russian Federation 31->148 158 2 other IPs or domains 31->158 88 C:\Users\user\AppData\Local\Temp\u4ik.1.exe, PE32 31->88 dropped 90 C:\Users\user\AppData\Local\Temp\u4ik.0.exe, PE32 31->90 dropped 162 Multi AV Scanner detection for dropped file 31->162 164 Detected unpacking (changes PE section rights) 31->164 166 Detected unpacking (overwrites its own PE header) 31->166 52 u4ik.0.exe 31->52         started        57 u4ik.1.exe 31->57         started        180 2 other signatures 36->180 59 powershell.exe 36->59         started        182 2 other signatures 38->182 61 WerFault.exe 38->61         started        150 i.alie3ksgaa.com 154.92.15.189 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 40->150 92 C:\Users\...\9e7e4f01f5c4412e63ed4e2e5d935ff5, SQLite 40->92 dropped 168 Detected unpacking (creates a PE file in dynamic memory) 40->168 170 Tries to harvest and steal browser information (history, passwords, etc) 40->170 94 C:\Users\user\AppData\Roaming\...\olehps.exe, PE32 42->94 dropped 96 C:\Users\user\AppData\Roaming\...\Logs.exe, PE32 42->96 dropped 63 Logs.exe 42->63         started        65 olehps.exe 42->65         started        152 20.79.30.95, 33223, 49708 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->152 172 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->172 174 Found many strings related to Crypto-Wallets (likely being stolen) 44->174 184 2 other signatures 44->184 176 Tries to steal Instant Messenger accounts or passwords 48->176 186 3 other signatures 48->186 67 powershell.exe 48->67         started        69 netsh.exe 2 48->69         started        154 144.76.1.85, 18574, 49720 HETZNER-ASDE Germany 50->154 156 secretionsuitcasenioise.shop 104.21.16.152, 443, 49728 CLOUDFLARENETUS United States 50->156 160 4 other IPs or domains 50->160 98 C:\Users\user\AppData\Roaming\...\qemu-ga.exe, PE32 50->98 dropped 178 LummaC encrypted strings found 50->178 71 2 other processes 50->71 file14 signatures15 process16 dnsIp17 134 185.172.128.79 NADYMSS-ASRU Russian Federation 52->134 108 C:\Users\user\AppData\...\softokn3[1].dll, PE32 52->108 dropped 110 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 52->110 dropped 112 C:\Users\user\AppData\...\mozglue[1].dll, PE32 52->112 dropped 116 9 other files (1 malicious) 52->116 dropped 214 Detected unpacking (changes PE section rights) 52->214 216 Detected unpacking (overwrites its own PE header) 52->216 218 Tries to steal Mail credentials (via file / registry access) 52->218 230 4 other signatures 52->230 73 cmd.exe 57->73         started        76 conhost.exe 59->76         started        136 5.42.65.31 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 63->136 220 Multi AV Scanner detection for dropped file 63->220 222 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 63->222 224 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 63->224 114 C:\Users\user\...\246122658369_Desktop.zip, Zip 67->114 dropped 226 Found many strings related to Crypto-Wallets (likely being stolen) 67->226 78 conhost.exe 67->78         started        80 conhost.exe 69->80         started        228 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 71->228 file18 signatures19 process20 signatures21 232 Uses schtasks.exe or at.exe to add and modify task schedules 73->232 82 conhost.exe 73->82         started        84 chcp.com 73->84         started        86 schtasks.exe 73->86         started        process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2024-02-06 14:23:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2udjux7nrg4omcrmslk5e22thyzzziqadjqurqclqgb7tluogtna._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:zgrat botnet:@oleh_ps botnet:@oni912 botnet:livetraffic evasion infostealer rat trojan upx
Link:
https://tria.ge/reports/240206-rp47mshac2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
UPX packed file
.NET Reactor proctector
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
RedLine
RedLine payload
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.32
20.79.30.95:33223
45.15.156.209:40481
185.172.128.33:8924
Unpacked files
SH256 hash:
032f4a01289170f6d036c8d8e9acf73c1e2e04e739478fd6e68b9474cb608f3c
MD5 hash:
2ab49c1cbb291e5bfaec3490f0e151f9
SHA1 hash:
39bcf611ef739d3873cdcbc693b565deeebec165
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/8a23b220-7098-4d69-9a2f-5adc60b7036c/
SH256 hash:
d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da
MD5 hash:
57e74b54fbd924c32036d79a78dc462c
SHA1 hash:
192d42239bd350e7e17397b9f093712a2ddeab95
Link:
https://www.unpac.me/results/8a23b220-7098-4d69-9a2f-5adc60b7036c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5069a5fed89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757406/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2756639/
Cape
Cape
https://www.capesandbox.com/analysis/474880/

Comments