MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e36f30a95d3191cb1b1c4403114ea9ba1a5ecc7547a37a873597c09c25b0093c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e36f30a95d3191cb1b1c4403114ea9ba1a5ecc7547a37a873597c09c25b0093c
SHA3-384 hash: 784d8a6c698cdb4face16b0e3694e559fc783664b4c7a22d74bf611abcd098a873e99b30039c5abefc708fc8ccf1aa2a
SHA1 hash: 967029f9bf67ce956cc75591c29fa274f250b8ba
MD5 hash: a8e7913fabac09993804f09d930e11c4
humanhash: cat-aspen-two-hot
File name:a8e7913fabac09993804f09d930e11c4.bin.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:5'752'832 bytes
First seen:2023-09-19 19:05:56 UTC
Last seen:2023-09-19 19:35:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5d5a4d41193c48cd2a4e81953124fd0 (1 x Amadey)
ssdeep 98304:aoBE1f4w/Zo8L3t/XVWElExudaJsWARm5DFgDcVCKR/Lgv8F28W/:ZBzw/iiVXVWElExuda6F2O4VJJLg0F2
Threatray 11 similar samples on MalwareBazaar
TLSH T16D46233343651181E0E2CC3DD63BBEE5B2F6036E9B41E87849E7A9C135625E1EB13A53
TrID 35.1% (.SCR) Windows screen saver (13097/50/3)
17.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.5% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://5.42.64.45/8bmeVwqx/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e36f30a95d3191cb1b1c4403114ea9ba1a5ecc7547a37a873597c09c25b0093c.exe
Verdict:
Malicious activity
Analysis date:
2023-09-19 19:08:52 UTC
Tags:
amadey botnet stealer trojan loader
Link:
https://app.any.run/tasks/d2ba9bb4-2746-4aec-ad44-7700f82dcdf7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449826/
Detection(s):
SecuriteInfo.com.FileRepMalware.19947.25606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a file
Creating a window
DNS request
Delayed reading of the file
Sending a custom TCP request
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin masquerade packed packed shell32 vmprotect
Link:
https://www.filescan.io/uploads/6509f12e988a26b6d96ec93d/reports/87e320fc-fd28-47da-ad62-7a44f845420b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e36f30a95d3191cb1b1c4403114ea9ba1a5ecc7547a37a873597c09c25b0093c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/726e98d6-5ada-4271-badc-06c7f329b83f
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311060
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Detected VMProtect packer
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1311060 Sample: g7x46xBqQ7.exe Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 73 letbitadadojifouhw3.me 2->73 75 dfatesythrts443.me 2->75 97 Snort IDS alert for network traffic 2->97 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 10 other signatures 2->103 11 g7x46xBqQ7.exe 4 2->11         started        15 nhdues.exe 2->15         started        17 nhdues.exe 2->17         started        19 nhdues.exe 2->19         started        signatures3 process4 file5 71 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 11->71 dropped 123 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->123 125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->125 127 Tries to evade analysis by execution special instruction (VM detection) 11->127 129 Tries to detect virtualization through RDTSC time measurements 11->129 21 nhdues.exe 21 11->21         started        26 conhost.exe 11->26         started        131 Hides threads from debuggers 15->131 signatures6 process7 dnsIp8 77 dfatesythrts443.me 21->77 79 5.42.64.45, 49728, 49729, 49730 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 21->79 81 letbitadadojifouhw3.me 21->81 63 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 21->63 dropped 65 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 21->65 dropped 67 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 21->67 dropped 69 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 21->69 dropped 113 Multi AV Scanner detection for dropped file 21->113 115 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->115 117 Creates an undocumented autostart registry key 21->117 121 5 other signatures 21->121 28 rundll32.exe 21->28         started        30 rundll32.exe 21->30         started        33 rundll32.exe 21->33         started        35 5 other processes 21->35 file9 119 System process connects to network (likely due to code injection or exploit) 77->119 signatures10 process11 signatures12 37 rundll32.exe 28->37         started        133 Contains functionality to modify clipboard data 30->133 41 rundll32.exe 19 30->41         started        43 rundll32.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 cmd.exe 1 35->49         started        51 5 other processes 35->51 process13 dnsIp14 83 letbitadadojifouhw3.me 37->83 85 dfatesythrts443.me 37->85 87 192.168.2.1 unknown unknown 37->87 105 System process connects to network (likely due to code injection or exploit) 37->105 107 Tries to steal Instant Messenger accounts or passwords 37->107 109 Tries to harvest and steal ftp login credentials 37->109 111 Tries to harvest and steal browser information (history, passwords, etc) 37->111 53 tar.exe 1 37->53         started        89 letbitadadojifouhw3.me 41->89 91 dfatesythrts443.me 41->91 55 tar.exe 1 41->55         started        93 letbitadadojifouhw3.me 43->93 95 dfatesythrts443.me 43->95 57 tar.exe 2 43->57         started        signatures15 process16 process17 59 conhost.exe 55->59         started        61 conhost.exe 57->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e36f30a95d3191cb1b1c4403114ea9ba1a5ecc7547a37a873597c09c25b0093c/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 19:06:18 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4nxtbkk5ggi4wgy4iqbrctvjxinf5tdvi6rxvbzvs7ajyjnqbe6a._file
Verdict:
unknown
Similar samples:
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867
Amadey
0e41ffd44bc8a085a3bd49058ff0051538476c8a05f086593b02bc87b30268dc
Amadey
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
Amadey
2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef
Amadey
33cbdeba761fab35dfa4e60a03d0625ec53f77b17148385548a763b888c9b221
Amadey
88d82f209133f753957f901cead443ad4e6a0daa148c098dacb565a64be2e80d
Amadey
956ad9b8b0f3fe9a83d875f0b90b3c6fc72e3b670549de683de44b70f0a090c8
Amadey
+ 1 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/230919-xr4lsabd91/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
Downloads MZ/PE file
Amadey
Malware Config
C2 Extraction:
http://5.42.64.45/8bmeVwqx/index.php
Unpacked files
SH256 hash:
e36f30a95d3191cb1b1c4403114ea9ba1a5ecc7547a37a873597c09c25b0093c
MD5 hash:
a8e7913fabac09993804f09d930e11c4
SHA1 hash:
967029f9bf67ce956cc75591c29fa274f250b8ba
Link:
https://www.unpac.me/results/5c443b17-4f28-4bc0-a8aa-0a161f2b74ad/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e36f30a95d31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e36f30a95d3191cb1b1c4403114ea9ba1a5ecc7547a37a873597c09c25b0093c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449826/

Comments