MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374
SHA3-384 hash: 89082fbdc9725526700b01e30017c2ea146e0c2d952afecfb23992c4966fc46ce5337931f2102239c03ba6ea2091a195
SHA1 hash: 47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4
MD5 hash: 8da053f9830880089891b615436ae761
humanhash: oxygen-moon-magazine-four
File name:8da053f9830880089891b615436ae761
Download: download sample
Signature Amadey
Create hunting rule
File size:104'448 bytes
First seen:2023-11-01 16:27:51 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 91452bf3259a3ff5928a3bb7f6be301a (11 x Amadey)
ssdeep 3072:/HEjxEfCk+EeY22JosmvWuQRRIQrT7xUcdYNS60Z:PsqqdLsOWuQRbZeNS60Z
Threatray 10 similar samples on MalwareBazaar
TLSH T1FEA35C057295C071E56E1A3A1874ABB5877EAC14DFB04DEB27400E7AAE343D1BD35C3A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 Amadey dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457667/
Detection(s):
Win.Malware.Zusy-10001339-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/65427c9d34de31f579cfc1a0/reports/8ff09457-b8ae-4356-a04c-2f67dc18498f/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe27472b-bb87-405d-acd4-eebcb57f0936
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1335588
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1335588 Sample: Wp1mZPrBSY.dll Startdate: 01/11/2023 Architecture: WINDOWS Score: 88 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Amadeys Clipper DLL 2->27 29 2 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 12 7->9         started        12 rundll32.exe 7->12         started        14 rundll32.exe 12 7->14         started        17 5 other processes 7->17 dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 33 Found potential dummy code loops (likely to delay analysis) 12->33 21 167.235.20.126, 49708, 49709, 80 ALBERTSONSUS United States 14->21 19 rundll32.exe 17->19         started        signatures6 process7
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 16:28:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vecwscwhixro5fuoodc7pjkdzidhngcmlxocb7pmrmi4r7byn2a._file
Verdict:
malicious
Similar samples:
19f0386456060982bf9880a31c55022371ea3825c10f5ecca1310c8219ed738c
Amadey
1ab121c22361884aa13cc654a4e79a6e70240d3ef60bc1e660aeef7bde168aa3
Amadey
3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
Amadey
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
Amadey
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374
Amadey
da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
Amadey
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231101-tynmcscb43/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374
MD5 hash:
8da053f9830880089891b615436ae761
SHA1 hash:
47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/fb3aa1cf-591d-499a-a0c1-768e52b9ec68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

DLL dll d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726954/
Cape
Cape
https://www.capesandbox.com/analysis/457667/

Comments


Avatar
zbet commented on 2023-11-01 16:27:52 UTC

url : hxxp://167.235.20.126/bjdm32DP/Plugins/clip64.dll