MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1
SHA3-384 hash: 8934a657aef9ad803c76e2eed597435a0787658767f88252a156b674b0c8494f5933ded5ea4af2e085f1110f2906b193
SHA1 hash: a04d40e9ff1b51b0fd606b57dbe17d737c6b08c7
MD5 hash: 2389e42ff51d5ad1f896a23cf8aa846e
humanhash: triple-harry-missouri-skylark
File name:D677F86403915B15AB62B1278CC7E6A8F2A98DE2BA6A8.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:823'808 bytes
First seen:2023-01-24 23:10:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f58a58de21293c406e08477ed0abc56 (1 x RedLineStealer, 1 x Amadey)
ssdeep 24576:U/fprVmqZKA9JgLLK8ltKTrk/9efaTh6QAJ:GhMwcToQAJ
Threatray 591 similar samples on MalwareBazaar
TLSH T1FE056C21B787F4B1D8B105B457BAA7A6D56CBC140724DADFA3C43A29493C1C23E32BD6
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 6edbb12b17172b96 (10 x Quakbot, 9 x Heodo, 7 x BazaLoader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://62.204.41.89/8bcZfjw/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
wolfram_60ec5c8fa096e.zip
Verdict:
Malicious activity
Analysis date:
2021-07-12 15:17:42 UTC
Tags:
loader evasion autoit trojan stealer vidar rat redline phishing keylogger agenttesla
Link:
https://app.any.run/tasks/aaf05ad6-5ac8-4324-b762-26b9bcea4b20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356563/
Detection(s):
Win.Ransomware.Ouroboros-9872525-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Query of malicious DNS domain
Blocking the Windows Defender launch
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware ransomware zusy
Link:
https://www.filescan.io/uploads/63d065862b351a3d0ea86534/reports/6a5ea3c2-c4b9-4713-9b2a-d2673a7734c6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74c18d15-bb12-424b-8eea-091551815ba1
Result
Threat name:
Amadey, Fabookie, Glupteba, Nymaim, Priv
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158363
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 791100 Sample: D677F86403915B15AB62B1278CC... Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 144 45.12.253.98 CMCSUS Germany 2->144 198 Malicious sample detected (through community Yara rule) 2->198 200 Antivirus detection for URL or domain 2->200 202 Antivirus detection for dropped file 2->202 204 21 other signatures 2->204 11 D677F86403915B15AB62B1278CC7E6A8F2A98DE2BA6A8.exe 4 43 2->11         started        16 svchost.exe 3 2->16         started        18 svchost.exe 2->18         started        20 7 other processes 2->20 signatures3 process4 dnsIp5 160 185.246.221.154 LVLT-10753US Germany 11->160 162 136.144.41.201 WORLDSTREAMNL Netherlands 11->162 164 16 other IPs or domains 11->164 136 C:\Users\...\udAnZbXAPN8AuW3USB4vwKiy.exe, PE32 11->136 dropped 138 C:\Users\...\q1j9TgLACrClFMfg1CTy4_Lr.exe, PE32+ 11->138 dropped 140 C:\Users\...\ix9duj7N1c9RCS0ygB57UPtI.exe, PE32+ 11->140 dropped 142 14 other malicious files 11->142 dropped 230 Drops PE files to the document folder of the user 11->230 232 Creates HTML files with .exe extension (expired dropper behavior) 11->232 234 Disable Windows Defender real time protection (registry) 11->234 22 dpWAPwTZxFFUeaLnFhl2M7vI.exe 5 11->22         started        25 N1Uz5QMCcZr40CIARTjPzKlA.exe 3 11->25         started        28 eiqwzyQ1zonJo2xbz55jdDIL.exe 11->28         started        30 10 other processes 11->30 236 Query firmware table information (likely to detect VMs) 16->236 238 Changes security center settings (notifications, updates, antivirus, firewall) 18->238 file6 signatures7 process8 dnsIp9 112 C:\Users\user\AppData\Local\Temp\xlli.exe, PE32 22->112 dropped 114 C:\Users\user\AppData\Local\Temp\birge.exe, MS-DOS 22->114 dropped 116 C:\Users\user\AppData\Local\...\Player31.exe, PE32 22->116 dropped 33 birge.exe 22->33         started        36 Player31.exe 22->36         started        39 xlli.exe 22->39         started        118 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 25->118 dropped 214 Multi AV Scanner detection for dropped file 25->214 41 nbveek.exe 17 25->41         started        216 Detected unpacking (changes PE section rights) 28->216 218 Contains functionality to inject code into remote processes 28->218 220 Injects a PE file into a foreign processes 28->220 44 eiqwzyQ1zonJo2xbz55jdDIL.exe 28->44         started        166 157.240.17.35 FACEBOOKUS United States 30->166 168 157.240.253.35 FACEBOOKUS United States 30->168 170 45.66.159.142 ENZUINC-US Russian Federation 30->170 120 C:\Windows\Temp\321.exe, PE32 30->120 dropped 122 C:\Windows\Temp\123.exe, PE32 30->122 dropped 124 C:\Users\...\iTswsoijKRfn8T7Puh0Zkf9u.tmp, PE32 30->124 dropped 126 C:\Users\user\AppData\Local\...\Install.exe, PE32 30->126 dropped 222 Detected unpacking (overwrites its own PE header) 30->222 224 Obfuscated command line found 30->224 226 Tries to harvest and steal browser information (history, passwords, etc) 30->226 228 3 other signatures 30->228 46 iTswsoijKRfn8T7Puh0Zkf9u.tmp 30->46         started        48 AppLaunch.exe 30->48         started        50 Conhost.exe 30->50         started        52 3 other processes 30->52 file10 signatures11 process12 dnsIp13 172 Detected unpacking (changes PE section rights) 33->172 174 Query firmware table information (likely to detect VMs) 33->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->176 196 3 other signatures 33->196 94 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 36->94 dropped 54 nbveek.exe 36->54         started        59 conhost.exe 39->59         started        156 62.204.41.89 TNNET-ASTNNetOyMainnetworkFI United Kingdom 41->156 96 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 41->96 dropped 98 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 41->98 dropped 106 2 other malicious files 41->106 dropped 178 Multi AV Scanner detection for dropped file 41->178 180 Creates an undocumented autostart registry key 41->180 182 Uses schtasks.exe or at.exe to add and modify task schedules 41->182 61 rundll32.exe 41->61         started        63 cmd.exe 41->63         started        65 schtasks.exe 41->65         started        67 rundll32.exe 41->67         started        184 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->184 186 Maps a DLL or memory area into another process 44->186 188 Checks if the current machine is a virtual machine (disk enumeration) 44->188 190 Creates a thread in another existing process (thread injection) 44->190 69 explorer.exe 44->69 injected 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->100 dropped 102 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 46->102 dropped 104 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 46->104 dropped 108 6 other files (5 malicious) 46->108 dropped 71 finalrecovery.exe 46->71         started        158 45.15.156.209 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 48->158 110 5 other files (3 malicious) 48->110 dropped 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->192 194 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->194 file14 signatures15 process16 dnsIp17 146 77.73.134.27 FIBEROPTIXDE Kazakhstan 54->146 148 192.168.2.1 unknown unknown 54->148 128 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 54->128 dropped 130 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 54->130 dropped 206 Multi AV Scanner detection for dropped file 54->206 73 schtasks.exe 54->73         started        75 cmd.exe 54->75         started        77 rundll32.exe 61->77         started        80 conhost.exe 63->80         started        82 cmd.exe 63->82         started        84 cacls.exe 63->84         started        88 3 other processes 63->88 86 conhost.exe 65->86         started        132 C:\Users\user\AppData\Roaming\vcthrtu, PE32 69->132 dropped 208 System process connects to network (likely due to code injection or exploit) 69->208 210 Benign windows process drops PE files 69->210 212 Hides that the sample has been downloaded from the Internet (zone.identifier) 69->212 150 45.12.253.56 CMCSUS Germany 71->150 152 45.12.253.72 CMCSUS Germany 71->152 154 45.12.253.75 CMCSUS Germany 71->154 134 C:\Users\user\AppData\Roaming\...\2NBs3.exe, PE32 71->134 dropped file18 signatures19 process20 signatures21 90 conhost.exe 73->90         started        92 conhost.exe 75->92         started        240 System process connects to network (likely due to code injection or exploit) 77->240 242 Tries to steal Instant Messenger accounts or passwords 77->242 244 Tries to harvest and steal ftp login credentials 77->244 246 Tries to harvest and steal browser information (history, passwords, etc) 77->246 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2021-07-04 05:34:19 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2z37qzadsfnrlk3cwetyzr7gvdzktdpcxjvij3th4bwb77ljnpaq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2556187741452011a3b2a39cb9c8543e308f6d3d72fa7f5cc1112477551cce4d
Amadey
6fb65aaabd2d911fb31722cbd1d41399ded20e0e1dfef8907b7c9317727d398f
Amadey
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e
Amadey
dd6591db098a249805d23dea1f8c3bb79e2cb9a40a27cfaffaaf7b81042af622
Amadey
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
Amadey
f0befbf3bc4aab1422ef8653f2a85d6ffa0f1eba7f9cecb5a5279600a6daabee
Amadey
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
Amadey
+ 581 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion trojan
Link:
https://tria.ge/reports/230124-258vwafg5z/
Behaviour
Modifies system certificate store
Looks up external IP address via web service
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1
MD5 hash:
2389e42ff51d5ad1f896a23cf8aa846e
SHA1 hash:
a04d40e9ff1b51b0fd606b57dbe17d737c6b08c7
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/fb3e312a-7938-40b4-983a-f821efc3cdc3/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d677f8640391/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.privateloader.
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356563/

Comments