MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95
SHA3-384 hash: 6b0c0749ee1f6619d13cebedc4db1bf26d0b880a808065e7032e30e3f4defe7273fa1cbbc3bd6d359941eca6c9631601
SHA1 hash: 49ab27ab30e6bfa5d9432aefefac32e108befcab
MD5 hash: 85a914f6400f14e001b8102742f3191b
humanhash: zulu-single-social-single
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'231'584 bytes
First seen:2023-10-02 17:43:35 UTC
Last seen:2023-10-03 08:24:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e74c8ae3503a17604f2a2d84ae3389c4 (4 x AgentTesla, 2 x SnakeKeylogger, 1 x DarkCloud)
ssdeep 24576:1ALvx6r2VNpnwz+dDM4PKul7UD1cnCjQIEaCo7nfkvqVJN2L:Mvx6SVNLdDM4fqKCjx98SVJA
TLSH T12D453323A393D251C54AFEB698BD6D732671A26D8190DB0F4CACE6D03CFD4B3885AC45
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:Amadey exe signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-10-02T17:30:19Z
Valid to:2024-10-02T17:30:19Z
Serial number: 1d74c2dcee659073d898c1c2a97b2835
Thumbprint Algorithm:SHA256
Thumbprint: bf0231bdd16cacc640d70d3a40702b1f9d22326fd0e8c757570bcb227ecab876
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://185.225.74.144/files/Umm2.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
310
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Services[1].exe
Verdict:
Malicious activity
Analysis date:
2023-10-02 18:24:31 UTC
Tags:
privateloader evasion opendir loader stealer redline amadey botnet trojan fabookie lu0bot backdoor smoke miner phonk rhadamanthys teamspy remote g0njxa
Link:
https://app.any.run/tasks/6755241d-d342-4c4a-b936-6993e749852e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452727/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Creating a window
Running batch commands
Blocking the User Account Control
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
hacktool overlay packed packed packed upx
Link:
https://www.filescan.io/uploads/651b016432ffdb7a7a1d0436/reports/08c1e2d0-96a2-49a1-bbbf-dc622613e5ce/overview
Verdict:
Malicious
Labled as:
Ser.Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/755604ad-7fd7-4d43-bbc9-8978fe527228
Result
Threat name:
Amadey, Fabookie, Glupteba, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.adwa
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318182
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318182 Sample: file.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 176 Found malware configuration 2->176 178 Malicious sample detected (through community Yara rule) 2->178 180 Antivirus detection for URL or domain 2->180 182 19 other signatures 2->182 10 file.exe 1 2->10         started        13 cmd.exe 2->13         started        15 svchost.exe 1 1 2->15         started        18 6 other processes 2->18 process3 dnsIp4 210 Allocates memory in foreign processes 10->210 212 Adds a directory exclusion to Windows Defender 10->212 214 Disables UAC (registry) 10->214 20 InstallUtil.exe 15 36 10->20         started        25 powershell.exe 23 10->25         started        27 conhost.exe 13->27         started        29 cAGN04yRoB3fCYZr7XnFFJlu.exe 13->29         started        166 23.219.201.162 CLAROSABR United States 15->166 168 127.0.0.1 unknown unknown 15->168 170 20.54.24.246 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->170 172 3.98.215.151 AMAZON-02US United States 18->172 174 2 other IPs or domains 18->174 31 conhost.exe 18->31         started        signatures5 process6 dnsIp7 154 85.217.144.143 WS171-ASRU Bulgaria 20->154 156 107.167.110.216 OPERASOFTWAREUS United States 20->156 158 13 other IPs or domains 20->158 114 C:\Users\...\zIf0BJozhzFtJMEic1R2QDfM.exe, PE32 20->114 dropped 116 C:\Users\...\xEFokFHSYWsETN5bJZtVO61I.exe, PE32 20->116 dropped 118 C:\Users\...\r73lc6Cx44eMJjFcFNvDCOKM.exe, PE32 20->118 dropped 120 31 other malicious files 20->120 dropped 202 Drops script or batch files to the startup folder 20->202 33 zIf0BJozhzFtJMEic1R2QDfM.exe 20->33         started        37 hCwY3XCg6IkefxDRb6FK86lT.exe 20->37         started        40 1LKKVpNCXFdPOFjcGKoz9DV1.exe 20->40         started        44 7 other processes 20->44 42 conhost.exe 25->42         started        file8 signatures9 process10 dnsIp11 142 107.167.110.218 OPERASOFTWAREUS United States 33->142 144 107.167.125.189 OPERASOFTWAREUS United States 33->144 152 4 other IPs or domains 33->152 96 Opera_installer_2310021800143657352.dll, PE32 33->96 dropped 98 C:\Users\...\zIf0BJozhzFtJMEic1R2QDfM.exe, PE32 33->98 dropped 100 C:\Users\user\AppData\Local\...\opera_package, PE32 33->100 dropped 110 4 other malicious files 33->110 dropped 46 zIf0BJozhzFtJMEic1R2QDfM.exe 33->46         started        49 zIf0BJozhzFtJMEic1R2QDfM.exe 33->49         started        51 zIf0BJozhzFtJMEic1R2QDfM.exe 33->51         started        102 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 37->102 dropped 184 Multi AV Scanner detection for dropped file 37->184 186 Contains functionality to inject code into remote processes 37->186 53 nhdues.exe 37->53         started        104 C:\Users\user\AppData\...\nearchapterpro.exe, PE32+ 40->104 dropped 106 C:\Users\user\AppData\...\keyexpertise.exe, PE32 40->106 dropped 57 nearchapterpro.exe 40->57         started        146 154.221.26.108 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 44->146 148 156.236.72.121 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 44->148 150 104.21.38.126 CLOUDFLARENETUS United States 44->150 108 C:\Users\...\qWlIigQXmo3bcVakJ2Mmn1oU.tmp, PE32 44->108 dropped 112 3 other malicious files 44->112 dropped 188 Detected unpacking (changes PE section rights) 44->188 190 Detected unpacking (overwrites its own PE header) 44->190 192 Found Tor onion address 44->192 194 5 other signatures 44->194 59 qWlIigQXmo3bcVakJ2Mmn1oU.tmp 44->59         started        file12 signatures13 process14 dnsIp15 134 20 other malicious files 46->134 dropped 61 zIf0BJozhzFtJMEic1R2QDfM.exe 46->61         started        124 Opera_installer_2310021800149667712.dll, PE32 49->124 dropped 126 Opera_installer_2310021800158127932.dll, PE32 51->126 dropped 164 193.42.32.29 EENET-ASEE Germany 53->164 128 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 53->128 dropped 130 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 53->130 dropped 136 2 other malicious files 53->136 dropped 204 Multi AV Scanner detection for dropped file 53->204 206 Creates an undocumented autostart registry key 53->206 208 Uses schtasks.exe or at.exe to add and modify task schedules 53->208 64 cmd.exe 53->64         started        66 schtasks.exe 53->66         started        138 2 other malicious files 57->138 dropped 68 nearchapter.exe 57->68         started        132 C:\Users\user\AppData\...\unins000.exe (copy), PE32 59->132 dropped 140 6 other files (5 malicious) 59->140 dropped 72 _setup64.tmp 59->72         started        74 schtasks.exe 59->74         started        76 schtasks.exe 59->76         started        78 DigitalPulseService.exe 59->78         started        file16 signatures17 process18 dnsIp19 122 Opera_installer_2310021800176113844.dll, PE32 61->122 dropped 80 conhost.exe 64->80         started        82 cmd.exe 64->82         started        84 cacls.exe 64->84         started        94 4 other processes 64->94 86 conhost.exe 66->86         started        160 167.88.160.150 PONYNETUS United States 68->160 196 Multi AV Scanner detection for dropped file 68->196 198 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 68->198 200 Injects a PE file into a foreign processes 68->200 88 conhost.exe 72->88         started        90 conhost.exe 74->90         started        92 conhost.exe 76->92         started        162 3.98.219.138 AMAZON-02US United States 78->162 file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 17:44:07 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3l4wt3fwghutpvt56cjgplc7tp6nkm5q2xc53k6bu73bjdkwbskq._file
Verdict:
unknown
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:glupteba family:smokeloader family:xmrig botnet:pub1 backdoor dropper evasion loader miner spyware stealer trojan upx
Link:
https://tria.ge/reports/231002-wa5xvafa62/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Launches sc.exe
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
SmokeLoader
UAC bypass
xmrig
Malware Config
C2 Extraction:
http://193.42.32.29/9bDc8sQ/index.php
http://app.nnnaajjjgc.com/check/safe
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
390f166c2909137e779320a75f98fc55afbcf520237d50a2e53a04e8c2e20a8e
MD5 hash:
a31b5cab0a30f88e473d3eb5cf806623
SHA1 hash:
51aec869db2e21ff8e5dda5756677bd5f3d00565
Link:
https://www.unpac.me/results/fc9333da-9c28-44aa-a0b8-7332a55b3975/
SH256 hash:
daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95
MD5 hash:
85a914f6400f14e001b8102742f3191b
SHA1 hash:
49ab27ab30e6bfa5d9432aefefac32e108befcab
Link:
https://www.unpac.me/results/fc9333da-9c28-44aa-a0b8-7332a55b3975/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/daf969ecb631/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2715393/
Cape
Cape
https://www.capesandbox.com/analysis/452727/

Comments