MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e24ffea81324b413a7c0a88944f9ab29b21eb654f18d19d2550ff03a641a03f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e24ffea81324b413a7c0a88944f9ab29b21eb654f18d19d2550ff03a641a03f2
SHA3-384 hash: 4590cf6b577de8789db6fd5e99da072f291b1019c281d4745787137c4cd6fad322ed97f60bf3afd31cd1b946f4a64bec
SHA1 hash: aff80912c0df420742f5aae7112b0ea85e974452
MD5 hash: 85cb5152da97d45d8880282d2ff2b7a5
humanhash: johnny-lima-wolfram-carbon
File name:85cb5152da97d45d8880282d2ff2b7a5.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:192'000 bytes
First seen:2021-10-28 15:01:57 UTC
Last seen:2021-10-28 16:24:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b117a88efd5ad3db577a4f98b26ff8a (2 x RedLineStealer, 2 x AveMariaRAT, 1 x LimeRAT)
ssdeep 3072:+plrcbqgFBrVvo09CcSsePA0jvv8ogT2rLKmKKVMn/iWrxpzbgqruXhspVggjcGb:0lBgF3o0CcSFIGgif4KG/iuzbgwu6L7W
TLSH T17B148DF072E9C871D0A339314865CAA04EEBBC61DA21554B3274235E2B77ECC9BE535E
File icon (PE):PE icon
dhash icon fcfcd4d4d4dcd8c0 (52 x RaccoonStealer, 28 x RedLineStealer, 6 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
45.67.231.145:10991

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.67.231.145:10991 https://threatfox.abuse.ch/ioc/239282/
23.94.183.146:60709 https://threatfox.abuse.ch/ioc/239304/
192.210.214.85:3306 https://threatfox.abuse.ch/ioc/239305/

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200957/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.35416.23011.25355.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8efaa39c-c278-4ccb-8c9b-fcad9076b603
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878689
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511123 Sample: 4BxZpwUFPO.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 79 ttmirror.top 2->79 81 teletele.top 2->81 83 12 other IPs or domains 2->83 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Antivirus detection for URL or domain 2->103 105 14 other signatures 2->105 12 4BxZpwUFPO.exe 2->12         started        15 cwbjjrh 2->15         started        17 sqtvvs.exe 2->17         started        signatures3 process4 signatures5 141 Contains functionality to inject code into remote processes 12->141 143 Injects a PE file into a foreign processes 12->143 19 4BxZpwUFPO.exe 12->19         started        145 Machine Learning detection for dropped file 15->145 22 cwbjjrh 15->22         started        process6 signatures7 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->107 109 Maps a DLL or memory area into another process 19->109 111 Checks if the current machine is a virtual machine (disk enumeration) 19->111 113 Creates a thread in another existing process (thread injection) 19->113 24 explorer.exe 14 19->24 injected process8 dnsIp9 91 216.128.137.31, 80 AS-CHOOPAUS United States 24->91 93 iyc.jelikob.ru 81.177.141.36, 443, 49817 RTCOMM-ASRU Russian Federation 24->93 95 5 other IPs or domains 24->95 63 C:\Users\user\AppData\Roaming\vcbjjrh, PE32 24->63 dropped 65 C:\Users\user\AppData\Roaming\cwbjjrh, PE32 24->65 dropped 67 C:\Users\user\AppData\Local\Temp\CC2F.exe, PE32 24->67 dropped 69 9 other files (8 malicious) 24->69 dropped 133 System process connects to network (likely due to code injection or exploit) 24->133 135 Benign windows process drops PE files 24->135 137 Deletes itself after installation 24->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->139 29 5894.exe 4 24->29         started        33 4AB8.exe 1 24->33         started        35 CC2F.exe 24->35         started        37 6 other processes 24->37 file10 signatures11 process12 dnsIp13 71 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 29->71 dropped 147 Multi AV Scanner detection for dropped file 29->147 149 Detected unpacking (changes PE section rights) 29->149 151 Machine Learning detection for dropped file 29->151 40 sqtvvs.exe 14 29->40         started        73 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 33->73 dropped 153 DLL reload attack detected 33->153 155 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->155 157 Renames NTDLL to bypass HIPS 33->157 169 3 other signatures 33->169 159 Injects a PE file into a foreign processes 35->159 44 CC2F.exe 35->44         started        85 93.115.20.139, 28978, 49911 MVPShttpswwwmvpsnetEU Romania 37->85 87 162.159.129.233, 443, 49818, 49919 CLOUDFLARENETUS United States 37->87 89 3 other IPs or domains 37->89 75 C:\ProgramData\136.exe, PE32 37->75 dropped 77 C:\ProgramData\1234.exe.zip, Zip 37->77 dropped 161 Detected unpacking (overwrites its own PE header) 37->161 163 Writes to foreign memory regions 37->163 165 Allocates memory in foreign processes 37->165 167 Sample uses process hollowing technique 37->167 46 aspnet_regiis.exe 37->46         started        48 aspnet_wp.exe 37->48         started        50 unarchiver.exe 37->50         started        file14 signatures15 process16 dnsIp17 97 185.215.113.45, 49849, 49850, 49851 WHOLESALECONNECTIONSNL Portugal 40->97 117 Multi AV Scanner detection for dropped file 40->117 119 Detected unpacking (changes PE section rights) 40->119 121 Machine Learning detection for dropped file 40->121 123 Uses schtasks.exe or at.exe to add and modify task schedules 40->123 52 cmd.exe 40->52         started        54 schtasks.exe 40->54         started        125 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->125 127 Maps a DLL or memory area into another process 44->127 129 Checks if the current machine is a virtual machine (disk enumeration) 44->129 131 Creates a thread in another existing process (thread injection) 44->131 signatures18 process19 process20 56 reg.exe 52->56         started        59 conhost.exe 52->59         started        61 conhost.exe 54->61         started        signatures21 115 Creates an undocumented autostart registry key 56->115
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e24ffea81324b413a7c0a88944f9ab29b21eb654f18d19d2550ff03a641a03f2/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 15:02:04 UTC
AV detection:
25 of 44 (56.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jh75kates2bhj6avceuj6nlfgzb5nsu6ggrtusvb7yduza2apza._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:raccoon family:redline family:smokeloader family:vidar botnet:60e59be328fbd2ebac1839ea99411dccb00a6f49 botnet:754 botnet:999323 botnet:dywa botnet:safeinstaller botnet:super star backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211028-segt2ageep/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Amadey
Raccoon
RedLine
RedLine Payload
SmokeLoader
Turns off Windows Defender SpyNet reporting
UAC bypass
Vidar
Windows security bypass
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://planilhasvba.com.br/wp-admin/js/k/index.php
http://rpk32ubon.ac.th/backup/k/index.php
http://4urhappiness.com/app/k/index.php
http://swedenkhabar.com/wp-admin/js/k/index.php
http://cio.lankapanel.net/wp-admin/js/k/index.php
http://fcmsites.com.br/canal/wp-admin/js/k/index.php
http://lacoibipitanga.com.br/maxart/k/index.php
http://lacoibipitanga.com.br/cgi-bin/k/index.php
http://video.nalahotel.com/k/index.php
http://diving-phocea.com/wp-admin/k/index.php
http://phocea-sudan.com/cgi-bin/k/index.php
http://rpk32ubon.ac.th/wp-admin/js/k/index.php
https://www.twinrealty.com/vworker/k/index.php
https://mas.to/@lilocc
93.115.20.139:28978
185.183.32.161:80
185.183.32.183:55694
45.67.231.145:10991
185.215.113.45/g4MbvE/index.php
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/76f7ed83-84d5-484d-8fc6-a7b6505bfd68/
SH256 hash:
e24ffea81324b413a7c0a88944f9ab29b21eb654f18d19d2550ff03a641a03f2
MD5 hash:
85cb5152da97d45d8880282d2ff2b7a5
SHA1 hash:
aff80912c0df420742f5aae7112b0ea85e974452
Link:
https://www.unpac.me/results/76f7ed83-84d5-484d-8fc6-a7b6505bfd68/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e24ffea81324/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e24ffea81324b413a7c0a88944f9ab29b21eb654f18d19d2550ff03a641a03f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e24ffea81324b413a7c0a88944f9ab29b21eb654f18d19d2550ff03a641a03f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/200957/

Comments