MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e10013c1610befd6ba09dbbc264579d94a7e3815eb99a643636ea259d484f454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e10013c1610befd6ba09dbbc264579d94a7e3815eb99a643636ea259d484f454
SHA3-384 hash: f86433a382f04ac912adc6b3efc544e9e663df6179649dc99c93c619681599e8396efa7554e35f347c633b6d8c7f3f27
SHA1 hash: 101441c1ea7136bfb9d4035048b95b3b1c32b0f1
MD5 hash: 6c0e31aca746f1e8772237236be9b4dd
humanhash: hydrogen-blossom-missouri-apart
File name:Kurome.Loader.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'731'008 bytes
First seen:2023-01-23 04:42:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 49152:jkQTApW00GPtL6VS0AapZWfJR7dhHMdoQKs+32jfgl8pgpwa6SMWjyTM0VOBfH5n:japWVGPtGI0AapZgGpgS65MWj8aBn
TLSH T188C5335572918277D8F7B07544D28BB8AA7F76A00753A4DBBAEE06329E017C1B1331CB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter ___
Tags:Amadey dropper exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
386
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Kurome.Loader.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 04:44:59 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/27b317ff-1d24-4453-8e24-a6a6e93fa4a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355749/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Moving a system file
Launching a process
Replacing system executable files
Launching cmd.exe command interpreter
Creating a window
Delayed reading of the file
Sending an HTTP POST request
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Infecting executable files
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62369/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EnumerateProcesses
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
fingerprint greyware packed stealer
Link:
https://www.filescan.io/uploads/63ce1056905a5ac3b9088087/reports/f3b3d0db-ec94-45e0-9e23-da2008b79732/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30a50795-2b98-4728-a66e-3c070ad31005
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156716
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789448 Sample: Kurome.Loader.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 7 other signatures 2->94 11 Kurome.Loader.exe 6 2->11         started        14 nbveek.exe 2->14         started        process3 file4 68 C:\Users\user\AppData\...\Kurome.Loader.exe, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\Temp\Amadey.exe, PE32 11->70 dropped 72 C:\Users\user\...\Kurome.Loader.exe.log, ASCII 11->72 dropped 16 Amadey.exe 3 11->16         started        20 Kurome.Loader.exe 4 11->20         started        process5 file6 54 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 16->54 dropped 78 Antivirus detection for dropped file 16->78 80 Multi AV Scanner detection for dropped file 16->80 82 Machine Learning detection for dropped file 16->82 84 Contains functionality to inject code into remote processes 16->84 22 nbveek.exe 21 16->22         started        56 C:\Windows\...\System.dll.old (copy), PE32 20->56 dropped 58 C:\Windows\Microsoft.NET\...\System.dll, PE32 20->58 dropped 86 Infects executable files (exe, dll, sys, html) 20->86 27 conhost.exe 20->27         started        signatures7 process8 dnsIp9 74 62.233.51.173 DivisionWRSBE unknown 22->74 76 192.168.2.1 unknown unknown 22->76 60 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 22->60 dropped 62 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 22->62 dropped 64 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 22->64 dropped 66 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 22->66 dropped 104 Antivirus detection for dropped file 22->104 106 Multi AV Scanner detection for dropped file 22->106 108 Creates an undocumented autostart registry key 22->108 110 2 other signatures 22->110 29 rundll32.exe 22->29         started        31 cmd.exe 1 22->31         started        33 schtasks.exe 1 22->33         started        35 rundll32.exe 22->35         started        file10 signatures11 process12 process13 37 rundll32.exe 23 29->37         started        40 conhost.exe 31->40         started        42 cmd.exe 1 31->42         started        44 cmd.exe 1 31->44         started        48 4 other processes 31->48 46 conhost.exe 33->46         started        signatures14 96 System process connects to network (likely due to code injection or exploit) 37->96 98 Tries to steal Instant Messenger accounts or passwords 37->98 100 Tries to harvest and steal ftp login credentials 37->100 102 Tries to harvest and steal browser information (history, passwords, etc) 37->102 50 tar.exe 37->50         started        process15 process16 52 conhost.exe 50->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e10013c1610befd6ba09dbbc264579d94a7e3815eb99a643636ea259d484f454/
Threat name:
Win32.Trojan.Dopping
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 04:43:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
13 of 39 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4eabhqlbbpx5noqj3o6cmrlz3ffh4oav5om2mq3dn2rftvee6rka._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan
Link:
https://tria.ge/reports/230123-fb83wsbf89/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Amadey
Malware Config
C2 Extraction:
62.233.51.173/jb9sZZZbv7/index.php
Unpacked files
SH256 hash:
f3a504a8bbeb5b0cecdcf750ab0dc1b52e2f08559cae8fc6dcd4b73eca0c3a46
MD5 hash:
d1c6a828c30c3abf8a36c138c5a33bd9
SHA1 hash:
6f08aca52c9afe40d00f4eec047fafa48361827c
Link:
https://www.unpac.me/results/348ff0cf-241a-4fd1-afc4-62923cb96d17/
SH256 hash:
2eaf3d548927ebd243362f7bcb906bb1bbff3961223fb9521cb2846b6b8d523d
MD5 hash:
059d51f43f1a774bc5aa76d19c614670
SHA1 hash:
171329bf0f48190cf4d59ce106b139e63507457d
Link:
https://www.unpac.me/results/348ff0cf-241a-4fd1-afc4-62923cb96d17/
SH256 hash:
52b3355bd9d5de1a376b1b1edfaa1d82385c5605c89a963e5abdb5d86e606a17
MD5 hash:
84b10e00524ab8300572896be3dd2aa3
SHA1 hash:
6f20de143d1b710db67f446810e93cd46879b250
Link:
https://www.unpac.me/results/348ff0cf-241a-4fd1-afc4-62923cb96d17/
SH256 hash:
d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e
MD5 hash:
a3ec05d5872f45528bbd05aeecf0a4ba
SHA1 hash:
68486279c63457b0579d86cd44dd65279f22d36f
Link:
https://www.unpac.me/results/348ff0cf-241a-4fd1-afc4-62923cb96d17/
SH256 hash:
c1535777985e808ccd834c73b5721596abc0fa1c9fdaaddd8da4712b2a9fd42e
MD5 hash:
c8d93f3436db67a213962f74f06f20f4
SHA1 hash:
2b6c673d2962f9c532c9d1ea5dc46b8343f6882f
Link:
https://www.unpac.me/results/348ff0cf-241a-4fd1-afc4-62923cb96d17/
SH256 hash:
bddaffd4bd21ea745dbef99ceb17617d1bd91c85cbea4cb9cb4e70c374da7cdd
MD5 hash:
af358ae6ad2dc1a55edfd2b5fe0a809e
SHA1 hash:
7da0b17ecac0eca63f54bdcf79139fc10b8ed4f5
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/348ff0cf-241a-4fd1-afc4-62923cb96d17/
SH256 hash:
e10013c1610befd6ba09dbbc264579d94a7e3815eb99a643636ea259d484f454
MD5 hash:
6c0e31aca746f1e8772237236be9b4dd
SHA1 hash:
101441c1ea7136bfb9d4035048b95b3b1c32b0f1
Link:
https://www.unpac.me/results/348ff0cf-241a-4fd1-afc4-62923cb96d17/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e10013c1610b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e10013c1610befd6ba09dbbc264579d94a7e3815eb99a643636ea259d484f454

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e10013c1610befd6ba09dbbc264579d94a7e3815eb99a643636ea259d484f454

(this sample)

Amadey

Executable exe 1c15288c8df9551330c93dc786b2783fdd096dbe87e289315f8475d0e78e5928

  
Dropping
SHA256 1c15288c8df9551330c93dc786b2783fdd096dbe87e289315f8475d0e78e5928
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/355749/

Comments