MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828
SHA3-384 hash:	5af280b7b569a271b0fc45868ed6e9d811d1d22e7817b6400c4d30fc75f4212d1a1aaf84271e6e131d725c98e2a71bbd
SHA1 hash:	bbd3e005d253320876ed820b75ea9293596e4544
MD5 hash:	5ffa91652bd79f6a0938a7f01cf25a82
humanhash:	ceiling-mobile-bravo-montana
File name:	SecuriteInfo.com.Win32.PWSX-gen.13348.22865
Download:	download sample
Signature	Amadey Create hunting rule
File size:	1'875'968 bytes
First seen:	2024-02-06 09:23:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:RGATe4wEwYMW/37z+mFJJU7FG1dJCZzwTkN:A2e4wyfrCTIdazOm
TLSH	T1AC953303517368E5C5D3AA3FD2548B343A241F8FC7609E727B8D51338225658EAABB37
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	SecuriteInfoCom
Tags:	Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828.exe

Verdict:

Malicious activity

Analysis date:

2024-02-06 09:42:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3dfc2268-1368-4e24-acd3-1e59507ef8d7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Amadey

Link:

https://www.capesandbox.com/analysis/474828/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.13348.22865.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm packed

Link:

https://www.filescan.io/uploads/65c1fab719fc38091423e857/reports/433db16f-a5bb-4c60-a053-9ac3699505c3/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6d6b889d-2c3f-4db1-98bb-a222e955e33a

Result

Threat name:

Amadey

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1387406

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Sigma detected: Capture Wi-Fi password

Sigma detected: Suspicious Script Execution From Temp Folder

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal WLAN passwords

Tries to steal Instant Messenger accounts or passwords

Uses netsh to modify the Windows network and firewall settings

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828/

Threat name:

Win32.Spyware.Risepro

Status:

Malicious

First seen:

2024-02-06 09:24:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3jzqkv7ywtavedyn4nnlxz3iaay5wln5ttggmvqnlcz4jyxctaua._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:amadey family:redline family:risepro family:zgrat botnet:@pixelscloud evasion infostealer persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/240206-lc2cbsefhk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Launches sc.exe

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

.NET Reactor proctector

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Amadey

Detect ZGRat V1

RedLine

RedLine payload

RisePro

ZGRat

Malware Config

C2 Extraction:

http://185.215.113.32
193.233.132.62:50500
94.156.67.230:13781

Unpacked files

SH256 hash:

da1e2adce6e33031272ded3cedd4c9e53a3d870a1b5ff90bf1abc6e41fddd30f

MD5 hash:

0825cdad2af7722b9bde9df0a1160f58

SHA1 hash:

7dda01409aca8e34cdef425bb06a776ba1108d0e

Detections:

win_amadey

Link:

https://www.unpac.me/results/445ebcb8-cdb5-401c-9db3-54bde0c5da7d/

SH256 hash:

da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828

MD5 hash:

5ffa91652bd79f6a0938a7f01cf25a82

SHA1 hash:

bbd3e005d253320876ed820b75ea9293596e4544

Link:

https://www.unpac.me/results/445ebcb8-cdb5-401c-9db3-54bde0c5da7d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/da730557f8b4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da730557f8b4c1520f0de35abbe7680031db2dbd9ccc66560d58b3c4e2e29828

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.