MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3
SHA3-384 hash: 5e976867872ade919a4b3e03c674de82babec2eae07e37e631e13f93455aec9805e93c1d516f8d075f4853b934159894
SHA1 hash: 76f70e5c57f3a7a7d99745bcd09c379fab6f67e9
MD5 hash: 06c02872440c96cd9cb0208f8f1f8944
humanhash: red-missouri-georgia-idaho
File name:06c02872440c96cd9cb0208f8f1f8944.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:922'112 bytes
First seen:2023-03-03 14:20:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:RydhQlMtwn1uZpzuxNNQM13ZaYp+V9WYa:EdhQk2uZpzKNqM3s9WY
TLSH T114151207BBE984D2E9F58B3018FB46C3063ABD505634D2DB178E9C6D18637A4F53236A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://193.233.20.25/buH5N004d/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
06c02872440c96cd9cb0208f8f1f8944.exe
Verdict:
Malicious activity
Analysis date:
2023-03-03 14:21:02 UTC
Tags:
rat redline trojan amadey loader
Link:
https://app.any.run/tasks/26e7734a-e0c8-467b-9163-aa9559431ca5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371388/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-9987080-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Disabling the operating system update service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
advpack.dll CAB greyware installer packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6402025093921fa0423644d8/reports/b4f23196-052d-4fc8-96c9-37a66ddc7c36/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71f3e844-9321-4e51-ba7e-ebcd1d200055
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1186557
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 819431 Sample: 7Y8AiMZV3B.exe Startdate: 03/03/2023 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 8 7Y8AiMZV3B.exe 1 4 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 38 C:\Users\user\AppData\...\pteg5691dm.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\...\jxSn60mR49.exe, PE32 8->40 dropped 17 pteg5691dm.exe 1 4 8->17         started        process5 file6 30 C:\Users\user\AppData\...\ptCO1091tX.exe, PE32 17->30 dropped 32 C:\Users\user\AppData\...\hk52ym21MJ58.exe, PE32 17->32 dropped 50 Machine Learning detection for dropped file 17->50 21 ptCO1091tX.exe 1 4 17->21         started        signatures7 process8 file9 34 C:\Users\user\AppData\...\ctoO52MR42.exe, PE32 21->34 dropped 36 C:\Users\user\AppData\...\bemH94UK41.exe, PE32 21->36 dropped 52 Machine Learning detection for dropped file 21->52 25 bemH94UK41.exe 9 1 21->25         started        28 ctoO52MR42.exe 1 1 21->28         started        signatures10 process11 signatures12 54 Detected unpacking (changes PE section rights) 25->54 56 Detected unpacking (overwrites its own PE header) 25->56 58 Machine Learning detection for dropped file 25->58 62 2 other signatures 25->62 60 Multi AV Scanner detection for dropped file 28->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 14:38:48 UTC
File Type:
PE (Exe)
Extracted files:
223
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=37h6d27hqq3pp55akcyadwnxkzdvsghslqle5i6pq5auhxzpbdjq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline botnet:rosto discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230303-rnz7ashc4w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
hueref.eu:4162
193.233.20.25/buH5N004d/index.php
Unpacked files
SH256 hash:
ee755d14d30d80fe4ff87a8357414088ac30fe1ca417b01a781d3efadfa0fa59
MD5 hash:
9686974abf84e296c9fb302e1e60c8e8
SHA1 hash:
e9f99186ae596038ad6e6de2fcde90e387859a1e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3d9a5179-c667-49a8-b697-e066f8fa78ee/
Parent samples :
049dc4bde6ac879a23950d749d93ee9f6c5ea2a9ced45a0aab02af4466590180
9ca7e51801c4e6739317ad90b9720d375fe076362dca54546d6bebb3e187f3d4
dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3
6f1b5358eb811f0fcca3b0ae1ca98e00601a813e39dd5314745c8fd9294a709d
f5509b5c387c364d2edd977ff30615b59b54a59a7eb8e9c5e31afc0ebb5cc82c
ed18d115d0cdc3e2a1231b05e5726a80c0212bba1a7f042a19835a22d7b39f8c
4c5004484ceebcbe45581f63810177bb1a008c4fdf33a57c173757a183d2477c
f668050b3c243844ae955da370feaba2d358349d4e5b4ddec41420fb60efe98f
0ea897821dd92f57e784db5a55f7d9f3e7cf2f7901e5a3106021cc0231aab055
9056ef22ee3306ad372517f5824b4005398eb0609b1d5f31dcc1f65b17dceb34
e1710bde227f564c560614832808b1d5ed9ad6a1ffa82e4054fc6d5b70654fc3
deb0e5a5558198881a52c3b9e0135b49e113057e8bc355e9473106094550fc5d
16bd48124210dc744f4654c870e79ed1311eca6abec618bb5e709c827280c4ea
SH256 hash:
d038e149e13ea36b4b880803dc23821bbc7ae9f9069744c85e2ec76b7474db3a
MD5 hash:
17426f1992d45c738eb92f4eb11aab46
SHA1 hash:
85507de66165773cab2308d88acce369481b6fa2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3d9a5179-c667-49a8-b697-e066f8fa78ee/
Parent samples :
9ca7e51801c4e6739317ad90b9720d375fe076362dca54546d6bebb3e187f3d4
dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3
66a4e11b4b456161e5561e8ffb153daa896db70e6575cf167acf2338dbdf3861
1763ca201c7137c9b105cec473fc8099384a951925f8c2abbce55fd976fbd26f
94f72fbf8f77ae4664efcdbb22019e9dc0b0d37e5ee3a6d70d2cde10fa5f89ca
06c315304e58078deffa97fc02b766be633ed54d2401dd87ea589781c8f45f18
6f1b5358eb811f0fcca3b0ae1ca98e00601a813e39dd5314745c8fd9294a709d
3aecd3da65242f0d98650235f4b81789da191353c53b4f562aa664badd656af2
0da48eb333b5c87c425d7b3020068b798c87bb86d9fe98f80c072a14d5d56207
f7cf737c50329dfdb61ba4627802b23db702414a6b651c8cbada0b7904edeff6
946669666cc16fe3efcdd943580b2cb17d08c978548a159f3fea4cb6f4753fcc
9056ef22ee3306ad372517f5824b4005398eb0609b1d5f31dcc1f65b17dceb34
deb0e5a5558198881a52c3b9e0135b49e113057e8bc355e9473106094550fc5d
13288d9b289795e49477db78e121dd47b26013516fb2e65208d48f1498d414ce
SH256 hash:
ac6fc4523d49b64c076bacbd920a9b896f57570c6b7752ccef9f596daccc87de
MD5 hash:
f79b7bdb93533fe03b3cc22e543b249f
SHA1 hash:
e257dd5b248df6c26db40a0260d0d975a9a40f03
Link:
https://www.unpac.me/results/3d9a5179-c667-49a8-b697-e066f8fa78ee/
SH256 hash:
1792c07282d9da550e6ab83284fe08d77e206db60f0791d9e2a475d499849f77
MD5 hash:
462864f98f30fb67b56278582ea1a904
SHA1 hash:
4f81703cdf965e869cfd6bb168518b9da991c396
Link:
https://www.unpac.me/results/3d9a5179-c667-49a8-b697-e066f8fa78ee/
SH256 hash:
174324c30c01e965709c9322987f20f82c9019187213d4fc9504a812b6d1e5b5
MD5 hash:
43e25248979ac302d688882df952d29a
SHA1 hash:
a4c8c4bd0734f90c0139c91fcc9700f801ce0179
Link:
https://www.unpac.me/results/3d9a5179-c667-49a8-b697-e066f8fa78ee/
SH256 hash:
af5d8e33406641add492129776f1757ed7f0a8153a6afb7da8757393181ed781
MD5 hash:
3b5fbe7d0b671d65d90aae470d314571
SHA1 hash:
10a2e15d4125bf8c8477783c3b063dd3f38dd5d0
Link:
https://www.unpac.me/results/3d9a5179-c667-49a8-b697-e066f8fa78ee/
SH256 hash:
dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3
MD5 hash:
06c02872440c96cd9cb0208f8f1f8944
SHA1 hash:
76f70e5c57f3a7a7d99745bcd09c379fab6f67e9
Link:
https://www.unpac.me/results/3d9a5179-c667-49a8-b697-e066f8fa78ee/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dfcfe1ebe784/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe dfcfe1ebe78436f7f7a050b001d9b756475918f25c164ea3cf874143df2f08d3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2551757/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/371388/

Comments