MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a
SHA3-384 hash: e3736e38b47c1cec82d54a23a28a1049b90c13a894e4283735986b260d2984e79bbc5e6be4bb61609766a9d199cb32e7
SHA1 hash: 655e8fe2f5e5c34a14662f50ae086f22d7d67ef3
MD5 hash: 562aebb8c1532478b331ab682d6cfefe
humanhash: berlin-neptune-salami-jig
File name:562aebb8c1532478b331ab682d6cfefe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'896'960 bytes
First seen:2024-06-14 13:58:55 UTC
Last seen:2024-06-14 14:27:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:p1maxzlPpz9Kk9WSPZpaIWJ6ax4wt6X+Ilv6YgnloICIiIL5g:pUa9EP6ZpaIwPx4wMX+Ilv/gnWtIiIV
TLSH T16395333B9FAA18BBD6985CF25BDBC32667B8CD32E11377C7528D0620E4D695FC614022
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a.exe
Verdict:
Malicious activity
Analysis date:
2024-06-14 14:00:11 UTC
Tags:
amadey botnet stealer loader redline meta metastealer lumma
Link:
https://app.any.run/tasks/6eb09f07-899c-4d8b-89b5-19bfb93b0141

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.21939.7109.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666c4e9c0f85a8479dc6cd58win7simulatehigh_evasion
Tags:
Banker Stealth Crypt Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/666c4cb16b8dba248b40efe1/reports/fc528da4-31fb-44a4-b6f1-f886dcf582a0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36bf25a9-347a-426d-adfd-d67da194eb49
Result
Threat name:
Python Stealer, Amadey, Monster Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457328
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Detected generic credential text file
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Capture Wi-Fi password
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1457328 Sample: KmhrN2q5ZO.exe Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 Antivirus detection for dropped file 2->160 162 16 other signatures 2->162 11 KmhrN2q5ZO.exe 5 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 100 C:\Users\user\AppData\Local\...\axplong.exe, PE32 11->100 dropped 102 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 11->102 dropped 188 Detected unpacking (changes PE section rights) 11->188 190 Tries to evade debugger and weak emulator (self modifying code) 11->190 192 Tries to detect virtualization through RDTSC time measurements 11->192 198 3 other signatures 11->198 22 axplong.exe 40 11->22         started        27 SetupWizard.exe 15->27         started        194 Changes security center settings (notifications, updates, antivirus, firewall) 17->194 140 23.43.61.160 AKAMAI-ASN1EU United States 19->140 196 Query firmware table information (likely to detect VMs) 19->196 file5 signatures6 process7 dnsIp8 142 185.172.128.19 NADYMSS-ASRU Russian Federation 22->142 144 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 22->144 90 C:\Users\user\AppData\Local\...90ewKindR.exe, PE32 22->90 dropped 92 C:\Users\user\AppData\...\drivermanager.exe, PE32 22->92 dropped 94 C:\Users\user\AppData\...\onecommander.exe, PE32+ 22->94 dropped 98 15 other malicious files 22->98 dropped 180 Multi AV Scanner detection for dropped file 22->180 182 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->182 184 Tries to evade debugger and weak emulator (self modifying code) 22->184 186 3 other signatures 22->186 29 judit.exe 47 22->29         started        33 setup222.exe 22->33         started        36 upd.exe 22->36         started        40 3 other processes 22->40 96 C:\Users\user\AppData\...\SetupWizard.exe, PE32+ 27->96 dropped 38 SetupWizard.exe 27->38         started        file9 signatures10 process11 dnsIp12 116 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 29->116 dropped 118 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 29->118 dropped 130 33 other files (32 malicious) 29->130 dropped 214 Multi AV Scanner detection for dropped file 29->214 216 Machine Learning detection for dropped file 29->216 218 Found many strings related to Crypto-Wallets (likely being stolen) 29->218 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->220 42 stub.exe 29->42         started        134 172.67.198.131 CLOUDFLARENETUS United States 33->134 120 C:\Users\user\Desktop\SetupWizard.exe, PE32+ 33->120 dropped 132 17 other malicious files 33->132 dropped 222 Contains functionality to inject code into remote processes 36->222 224 Writes to foreign memory regions 36->224 226 Allocates memory in foreign processes 36->226 228 Injects a PE file into a foreign processes 36->228 47 RegAsm.exe 36->47         started        122 C:\Windows\system32\winsvc.exe (copy), PE32+ 38->122 dropped 124 C:\Windows\system32\.co70C0.tmp (copy), PE32+ 38->124 dropped 126 C:\Windows\System32\.co70C0.tmp, PE32+ 38->126 dropped 136 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 40->136 138 31.31.198.35 AS-REGRU Russian Federation 40->138 128 C:\Users\user\AppData\Local\Temp\12.exe, PE32 40->128 dropped 230 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->230 232 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->232 234 Tries to steal Crypto Currency Wallets 40->234 49 RegAsm.exe 40->49         started        51 Conhost.exe 40->51         started        file13 signatures14 process15 dnsIp16 146 208.95.112.1 TUT-ASUS United States 42->146 148 185.199.108.133 FASTLYUS Netherlands 42->148 152 2 other IPs or domains 42->152 104 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 42->104 dropped 106 C:\Users\user\AppData\...\system_info.txt, Algol 42->106 dropped 108 C:\Users\user\AppData\...\process_info.txt, ASCII 42->108 dropped 114 3 other malicious files 42->114 dropped 200 Tries to harvest and steal browser information (history, passwords, etc) 42->200 202 Modifies the windows firewall 42->202 204 Tries to steal communication platform credentials (via file / registry access) 42->204 212 3 other signatures 42->212 53 cmd.exe 42->53         started        56 cmd.exe 42->56         started        58 cmd.exe 42->58         started        65 9 other processes 42->65 110 C:\Users\user\AppData\Roaming\...\svhoost.exe, PE32 47->110 dropped 112 C:\Users\user\AppData\Roaming\...\One.exe, PE32 47->112 dropped 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->206 208 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->208 60 svhoost.exe 47->60         started        63 One.exe 47->63         started        150 4.185.27.237 LEVEL3US United States 49->150 210 Tries to steal Crypto Currency Wallets 49->210 file17 signatures18 process19 dnsIp20 164 Uses netsh to modify the Windows network and firewall settings 53->164 166 Tries to harvest and steal WLAN passwords 53->166 168 Uses attrib.exe to hide files 53->168 67 conhost.exe 53->67         started        69 systeminfo.exe 56->69         started        72 net.exe 56->72         started        82 4 other processes 56->82 74 WMIC.exe 58->74         started        76 conhost.exe 58->76         started        154 185.172.128.33 NADYMSS-ASRU Russian Federation 60->154 170 Installs new ROOT certificates 60->170 172 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 60->172 78 conhost.exe 63->78         started        80 powershell.exe 65->80         started        84 16 other processes 65->84 signatures21 process22 signatures23 174 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 69->174 86 net1.exe 72->86         started        176 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 74->176 178 Installs new ROOT certificates 80->178 88 quser.exe 82->88         started        process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-06-14 13:59:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mcwksymhbzkft3vyhwtocs4n45ocw6d44po32grmhbsb7rku5fa._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:e76b71 botnet:newbild discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/240614-radq5sxdjj/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
RedLine
RedLine payload
Malware Config
C2 Extraction:
http://77.91.77.81
185.215.113.67:40960
Unpacked files
SH256 hash:
d4127bd83d1ddb37c1d4594c4c40c5b718f50cc3e331329b5edef38416577f9a
MD5 hash:
97debae3a006b0b3020178b5a5503788
SHA1 hash:
aff6494b9d663bedc86c5dbd0ae2afad34c1b8cb
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/1f977d9d-284b-470e-a260-5cb742f78672/
SH256 hash:
db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a
MD5 hash:
562aebb8c1532478b331ab682d6cfefe
SHA1 hash:
655e8fe2f5e5c34a14662f50ae086f22d7d67ef3
Link:
https://www.unpac.me/results/1f977d9d-284b-470e-a260-5cb742f78672/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db05654b0c38/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_bd24be68
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe db05654b0c3872a2cf75c1ed370a5c6f3ae15bc3e71eede8d161c320fe2aa74a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888729/
  
URLhaus
https://urlhaus.abuse.ch/url/2888751/
  
URLhaus
https://urlhaus.abuse.ch/url/2874927/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-06-14 13:58:56 UTC

url : hxxp://77.91.77.82/soka/random.exe