MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
SHA3-384 hash: f66654d38d2ff117a92478c0eaf85bc16ce2787c0b376cc6abb0a45e040f7f09abcf706faddaaab34ad259ec8a75eef9
SHA1 hash: f9c32541d671b76836ee4be4ee0372e61769a52b
MD5 hash: 9f4f78bf6f4de06e1beabcf740a58c8e
humanhash: finch-asparagus-earth-sink
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:474'624 bytes
First seen:2023-08-30 14:19:58 UTC
Last seen:2023-09-01 05:39:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 6144:RBE9jrgRuQwWQQNZ3+e14YAoKcrSgTtETjKrWpTIzR03X/Y1HFJqScnUQ:Rm9oRPNZO04zg5ETmITIzRM/YHtqUQ
TLSH T148A4F1FD8452F29D5C172E78A8FB32CE03E61493BD64349149AB16932A33AB0C55FF25
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter jstrosch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
289
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://dalaibeauty.com/wp-includes/install/Setup_pass1234.7z
Verdict:
Malicious activity
Analysis date:
2023-08-30 12:37:03 UTC
Tags:
privateloader opendir evasion loader risepro stealer redline fabookie trojan stealc amadey botnet smoke miner
Link:
https://app.any.run/tasks/fb5bc698-81bb-471f-8f28-dfb61985ed0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445336/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.35404.13938.6390.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Creating a file
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Enabling autorun by creating a file
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/64ef50159ff753467d7fd57d/reports/f1dd29ac-40e9-4025-8b22-53f65ae3d30f/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5120d62c-c175-40b0-8d5e-4664b4b091ef
Result
Threat name:
Amadey, DotRunpeX, Glupteba, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300452
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found hidden mapped module (file has been removed from disk)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected DotRunpeX
Yara detected Glupteba
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1300452 Sample: file.exe Startdate: 30/08/2023 Architecture: WINDOWS Score: 100 107 taibi.at 2->107 109 shsplatform.co.uk 2->109 123 Snort IDS alert for network traffic 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for URL or domain 2->127 129 15 other signatures 2->129 12 file.exe 3 2->12         started        15 updater.exe 2->15         started        18 tueghjc 2->18         started        20 7 other processes 2->20 signatures3 process4 file5 85 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 12->85 dropped 87 C:\Users\user\AppData\Local\...\a5718b57.exe, PE32 12->87 dropped 22 newplayer.exe 3 12->22         started        26 a5718b57.exe 12->26         started        89 C:\Windows\Temp\whxcdqscjswq.tmp, PE32+ 15->89 dropped 91 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 15->91 dropped 189 Protects its processes via BreakOnTermination flag 15->189 191 Injects code into the Windows Explorer (explorer.exe) 15->191 193 Writes to foreign memory regions 15->193 203 4 other signatures 15->203 195 Multi AV Scanner detection for dropped file 18->195 197 Detected unpacking (changes PE section rights) 18->197 199 Machine Learning detection for dropped file 18->199 205 3 other signatures 18->205 201 Changes security center settings (notifications, updates, antivirus, firewall) 20->201 signatures6 process7 file8 77 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 22->77 dropped 157 Antivirus detection for dropped file 22->157 159 Multi AV Scanner detection for dropped file 22->159 161 Machine Learning detection for dropped file 22->161 163 Contains functionality to inject code into remote processes 22->163 28 oneetx.exe 25 22->28         started        165 Detected unpacking (changes PE section rights) 26->165 167 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->167 169 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->169 171 3 other signatures 26->171 33 explorer.exe 7 26->33 injected signatures9 process10 dnsIp11 111 79.137.192.18, 49765, 80 PSKSET-ASRU Russian Federation 28->111 113 45.9.74.80, 49762, 49763, 49764 FIRST-SERVER-EU-ASRU Russian Federation 28->113 115 5.42.65.80, 49767, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 28->115 93 C:\Users\user\AppData\Local\Temp\...\UMR.exe, PE32+ 28->93 dropped 95 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 28->95 dropped 97 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 28->97 dropped 105 5 other malicious files 28->105 dropped 173 Antivirus detection for dropped file 28->173 175 Multi AV Scanner detection for dropped file 28->175 177 Creates an undocumented autostart registry key 28->177 185 2 other signatures 28->185 35 31839b57a4f11171d6abc8bbc4451ee4.exe 13 28->35         started        38 latestX.exe 28->38         started        41 toolspub2.exe 28->41         started        49 3 other processes 28->49 117 189.232.25.209, 49993, 49996, 49999 UninetSAdeCVMX Mexico 33->117 119 80.66.88.127, 50046, 80 RISS-ASRU Russian Federation 33->119 121 2 other IPs or domains 33->121 99 C:\Users\user\AppData\Roaming\tueghjc, PE32 33->99 dropped 101 C:\Users\user\AppData\Local\Temp\A107.exe, PE32 33->101 dropped 103 C:\Users\user\AppData\Local\Temp\252.exe, PE32 33->103 dropped 179 System process connects to network (likely due to code injection or exploit) 33->179 181 Benign windows process drops PE files 33->181 183 Suspicious powershell command line found 33->183 187 2 other signatures 33->187 43 cmd.exe 33->43         started        45 cmd.exe 33->45         started        47 powershell.exe 33->47         started        51 4 other processes 33->51 file12 signatures13 process14 file15 131 Multi AV Scanner detection for dropped file 35->131 133 Detected unpacking (changes PE section rights) 35->133 135 Detected unpacking (overwrites its own PE header) 35->135 155 2 other signatures 35->155 53 31839b57a4f11171d6abc8bbc4451ee4.exe 35->53         started        55 powershell.exe 35->55         started        79 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 38->79 dropped 81 C:\Windows\System32\drivers\etc\hosts, ASCII 38->81 dropped 137 Suspicious powershell command line found 38->137 139 Modifies the hosts file 38->139 141 Adds a directory exclusion to Windows Defender 38->141 143 Machine Learning detection for dropped file 41->143 145 Injects a PE file into a foreign processes 41->145 57 toolspub2.exe 41->57         started        147 Uses powercfg.exe to modify the power settings 43->147 149 Modifies power options to not sleep / hibernate 43->149 63 6 other processes 43->63 65 5 other processes 45->65 151 Creates files in the system32 config directory 47->151 59 conhost.exe 47->59         started        83 C:\Zemana.sys, PE32+ 49->83 dropped 153 Sample is not signed and drops a device driver 49->153 61 conhost.exe 49->61         started        67 7 other processes 49->67 69 6 other processes 51->69 signatures16 process17 process18 71 powershell.exe 53->71         started        73 conhost.exe 55->73         started        process19 75 conhost.exe 71->75         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 12:01:33 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pgf6eteojexqjvngtioanenhufa32qsnvpmopc62gtov6hwe4wq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:smokeloader family:xmrig botnet:pub5 botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit trojan upx
Link:
https://tria.ge/reports/230830-rnfsnafh66/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
45.9.74.80/0bjdn2Z/index.php
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
10404d8441ad542ad87e4c65273b85c363ff88eb1742a55761c266b03cba6239
MD5 hash:
093e62edc8ff597edff531323100aeee
SHA1 hash:
7248d21d5221aa613b5d4fb234fd794a6eb22e63
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/c24bc4dc-c707-4c64-8e69-89cfc5a725b5/
Parent samples :
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7
SH256 hash:
39802eed754213acc652f216b8ca71bb66b278b9b425ce9536a786b7bd3cbf0b
MD5 hash:
13a5b1b01c2562b09003b63bc7bc80cd
SHA1 hash:
8d80c63581a3331b0fcc3d8934d2ceaacd70300a
Link:
https://www.unpac.me/results/c24bc4dc-c707-4c64-8e69-89cfc5a725b5/
SH256 hash:
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
MD5 hash:
f0033521f40c06dec473854c7d98fa8b
SHA1 hash:
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/c24bc4dc-c707-4c64-8e69-89cfc5a725b5/
Parent samples :
6aa14b8612361f8cd34a86edcf341aaee819fb9a0cc18d51165e52afdcbe5e60
68af9af3506c7a35ef60026b6662cbc1fda0b36007a6eb48a974e4d7574db21f
81d2aa64b3f784fc0dab7694d106bedbd193786ab47dd064c0c5a8714d3fcaff
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
23d2138b76775d5169145dedfaff7db5bca58b481994ced84cade8490e720fc1
f991e808ed44c731fea1758fd6a275ec4e3ee66a5a691dbf1f9414a5faa144a1
10c5faf1316a4caf9edafd41c9c5a87a346c3cceb81de7ca106eee22be3069b8
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
SH256 hash:
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
MD5 hash:
9f4f78bf6f4de06e1beabcf740a58c8e
SHA1 hash:
f9c32541d671b76836ee4be4ee0372e61769a52b
Link:
https://www.unpac.me/results/c24bc4dc-c707-4c64-8e69-89cfc5a725b5/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3cc5f126472/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445336/
  
URLhaus
https://urlhaus.abuse.ch/url/2706900/

Comments