MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
SHA3-384 hash: 2ac6b0b480a608973eb0d564f135dcda9a115f2d33d197e09b9b49a8c44084bbb425b826414556edc25c9140f85d387d
SHA1 hash: 91b53b79c98f22d0b8e204e11671d78efca48682
MD5 hash: ceffd8c6661b875b67ca5e4540950d8b
humanhash: saturn-burger-kitten-violet
File name:ceffd8c6661b875b67ca5e4540950d8b
Download: download sample
Signature Amadey
Create hunting rule
File size:104'448 bytes
First seen:2023-10-27 15:11:40 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 91452bf3259a3ff5928a3bb7f6be301a (11 x Amadey)
ssdeep 3072:bHEjxEfCk+EeY22JosmvWuQRRIQrT7xUD0YNS60Z:DsqqdLsOWuQRbaHNS60Z
Threatray 5 similar samples on MalwareBazaar
TLSH T1D6A35C057295C071E66E1A3A1874AFB5877EAC14DFB04DEB27400E7AAE243D1BD35C3A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 Amadey dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
333
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456719/
Detection(s):
Win.Malware.Zusy-10001339-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware zusy
Link:
https://www.filescan.io/uploads/653bd3424ebf05ac3f3bec8b/reports/c965b7ff-b346-474f-b104-4f5adb2841a6/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e553047e-50bd-4c00-9c70-61e664977aed
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333355
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333355 Sample: jbudGcb9GA.dll Startdate: 27/10/2023 Architecture: WINDOWS Score: 100 23 Multi AV Scanner detection for domain / URL 2->23 25 Found malware configuration 2->25 27 Antivirus detection for URL or domain 2->27 29 4 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 12 7->9         started        12 rundll32.exe 7->12         started        14 rundll32.exe 12 7->14         started        17 5 other processes 7->17 dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 33 Found potential dummy code loops (likely to delay analysis) 12->33 21 185.196.8.176, 49707, 49708, 80 SIMPLECARRER2IT Switzerland 14->21 19 rundll32.exe 17->19         started        signatures6 process7
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-10-21 05:31:59 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3if7kuqjq3bpxex2szmo4l6lwb7okmpat6ib6kmxelanctuzj3ja._file
Verdict:
malicious
Similar samples:
19f0386456060982bf9880a31c55022371ea3825c10f5ecca1310c8219ed738c
Amadey
1ab121c22361884aa13cc654a4e79a6e70240d3ef60bc1e660aeef7bde168aa3
Amadey
3a5addf4fef89f397e1abe68c3e4605e13f1aefb20ac7a705e944dde4ccd5b8a
Amadey
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231027-sk54tafc4t/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
MD5 hash:
ceffd8c6661b875b67ca5e4540950d8b
SHA1 hash:
91b53b79c98f22d0b8e204e11671d78efca48682
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/6d787a67-03ae-4d93-96bc-b0596565c45d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

DLL dll da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726274/
Cape
Cape
https://www.capesandbox.com/analysis/456719/

Comments


Avatar
zbet commented on 2023-10-27 15:11:42 UTC

url : hxxp://185.196.8.176/7jshasdS/Plugins/clip64.dll