MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 9


Intelligence 9 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f
SHA3-384 hash: f83b4a98e0532a940b66d1bad0dfeb92456ddaed45584f074dae36a53e7f3863daae7ab410862aa20c9eb6e7165b79c0
SHA1 hash: 71a2c4d9d385f5169d6e575be1be4c78af4499cd
MD5 hash: 53f3dcf064d4622dfc331623fec3b8fc
humanhash: thirteen-north-oscar-butter
File name:dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f
Download: download sample
Signature Amadey
Create hunting rule
File size:10'753'536 bytes
First seen:2023-09-06 12:57:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ca2ada15fca9ba51b650e1414510d44 (2 x Amadey, 1 x LummaStealer, 1 x RemcosRAT)
ssdeep 196608:8V0I8onCri+vQRIq0iq2h3oeoYSeyB6vnKCD25kvmeh6vFF//aFcPezl9f:8L8on2i+vUIqZHScvKCBtwF+T
Threatray 7 similar samples on MalwareBazaar
TLSH T157B6F122BA41C431E4920578586BAB78457DBE208B75C4D3A7D43E6FF9314D32B3A36B
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 30b28a83e3f37a98 (2 x Amadey)
Reporter adrian__luca
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f
Verdict:
Malicious activity
Analysis date:
2023-09-06 12:57:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc108b79-8b3c-42ef-95c3-4845299b80e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446581/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.13738.3744.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bee55fa0-9350-4fc5-8a78-38c42efa57db
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304316
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 12:58:08 UTC
File Type:
PE (Exe)
Extracted files:
901
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3psy3bog3ekog6fwvmhqli3ihjhj5y4itkob4c3ygsq7eyjm2cpq._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5
Amadey
95c06a49c439b9c6baf3e39786a25e09c065e407c6b9bb0ba0e31a0bd8f12ad8
Amadey
ad34fb2d07c3340e16218e86b663ec39717dfe30f8951bd3922603aeeb9a9f8c
Amadey
c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252
Amadey
ce28b5bb36eae2c073a5856951a22de3968efd713df1c4e373b1e16cfe5ae255
Amadey
e6db950824ebaa85c4bd6b49915bee14d1bbdb7124e68e5494fce0b6d4ae7b38
Amadey
f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465
Amadey
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230906-p7g4qafe2x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Drops file in System32 directory
Unpacked files
SH256 hash:
99ef60cf8fbcb6bbea74a0d5bc78f2e7392fd7c164119ca7c88c8394999c665f
MD5 hash:
ef97db1868599d46ee39276618676dfa
SHA1 hash:
239dc5dedb9de1c02642c0f27af5a7d1d411ffb3
Link:
https://www.unpac.me/results/1eefbd03-b832-4e72-856b-565f45d3ce4f/
SH256 hash:
dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f
MD5 hash:
53f3dcf064d4622dfc331623fec3b8fc
SHA1 hash:
71a2c4d9d385f5169d6e575be1be4c78af4499cd
Link:
https://www.unpac.me/results/1eefbd03-b832-4e72-856b-565f45d3ce4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang
Create hunting rule
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446581/

Comments