MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff
SHA3-384 hash: 97aeef6cc50db5e4f9f7e94607b887131dc0da244f33580573afd382ea86636a84dd88c83fbdb53b45f60455166c4e1e
SHA1 hash: ca430a856aeec0eaaf15c58590cd8adc5cbdaf4e
MD5 hash: 6c8fada910ae5f7fd06e1de5a5da9988
humanhash: utah-friend-skylark-hotel
File name:6c8fada910ae5f7fd06e1de5a5da9988
Download: download sample
Signature Amadey
Create hunting rule
File size:485'376 bytes
First seen:2024-06-06 18:15:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f5bc5eaef7b7ceb4b3c6a5fae4fd983 (1 x Amadey)
ssdeep 12288:yTY15CXYQ9Hc/kN0p9ED9K4jy7aMbTgCQj:ycrCbH0UQ007aMxQ
Threatray 21 similar samples on MalwareBazaar
TLSH T140A4E001A6B1D822D0834539B51DFAB4D6FA7C32A751C27736842B6FDAB23D0270A7D6
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 04e2d29af989a9a1 (1 x Amadey)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
373
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff.exe
Verdict:
Malicious activity
Analysis date:
2024-06-06 18:21:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17d811b4-8e68-431f-8619-d77653d4a7f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Fareit-10030127-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6661fcec0bf5978c0b0d2f2b/reports/59dbd25d-3175-4c49-8993-9bb38b51ceaf/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19fed74f-5a70-4c36-8d1f-8656725a1a90
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1453286
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1453286 Sample: Aw5o3bDfdo.exe Startdate: 06/06/2024 Architecture: WINDOWS Score: 100 49 selltix.org 2->49 51 otyt.ru 2->51 53 nudump.com 2->53 59 Snort IDS alert for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 9 other signatures 2->65 7 Aw5o3bDfdo.exe 5 2->7         started        11 Dctooux.exe 2->11         started        signatures3 process4 dnsIp5 31 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 7->31 dropped 33 C:\Users\user\...\Dctooux.exe:Zone.Identifier, ASCII 7->33 dropped 67 Detected unpacking (changes PE section rights) 7->67 69 Detected unpacking (overwrites its own PE header) 7->69 71 Contains functionality to inject code into remote processes 7->71 14 WerFault.exe 16 7->14         started        17 WerFault.exe 16 7->17         started        19 WerFault.exe 16 7->19         started        29 7 other processes 7->29 55 selltix.org 190.146.112.188, 49729, 49730, 49732 TelmexColombiaSACO Colombia 11->55 57 otyt.ru 91.189.114.21, 49726, 49727, 49728 RU-CENTERRU Russian Federation 11->57 73 Multi AV Scanner detection for dropped file 11->73 21 WerFault.exe 11->21         started        23 WerFault.exe 11->23         started        25 WerFault.exe 11->25         started        27 WerFault.exe 11->27         started        file6 signatures7 process8 file9 35 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->45 dropped 47 3 other malicious files 29->47 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-06-06 18:16:09 UTC
File Type:
PE (Exe)
Extracted files:
59
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4skfssuvgnix2wvxpv3y6g627el5qbooxqnl7v4xgl24vto5fl7q._file
Verdict:
malicious
Similar samples:
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Amadey
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
Amadey
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
Amadey
4b3214ca5ec9721278989a43bf21b9450e5b8597dae25a4262dbece4a1193351
Amadey
6e1d2a58743dd5b05b0654ae4067d77f7580ba07fe034cd7b068f4a084d9fdcd
Amadey
86d0052d6f487909edc1f49853d68360b0ad3cd600a1f36e3fdc944a9242461f
Amadey
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
Amadey
ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
Amadey
+ 11 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:8fc809 trojan
Link:
https://tria.ge/reports/240606-ww5tzaah34/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
http://nudump.com
http://otyt.ru
http://selltix.org
Unpacked files
SH256 hash:
281b0380c8c05150697d5a8c343c6af3095b34d9adf5433c45a0c260479cc5f3
MD5 hash:
a4b20bf0fc8c97557f36f8aa2fd9a875
SHA1 hash:
f7f8f940a82d5d2cb4293844109d7349c744e426
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/12c52c4f-5844-437d-bc19-84aca3333159/
Parent samples :
86d0052d6f487909edc1f49853d68360b0ad3cd600a1f36e3fdc944a9242461f
e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff
6ea1b7fc2afd69e401cf82a20c32a800a18bcfd16f29926d6660df7c271fdff4
314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
SH256 hash:
e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff
MD5 hash:
6c8fada910ae5f7fd06e1de5a5da9988
SHA1 hash:
ca430a856aeec0eaaf15c58590cd8adc5cbdaf4e
Link:
https://www.unpac.me/results/12c52c4f-5844-437d-bc19-84aca3333159/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e494594a9533/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e494594a9533517d5ab77d778f1bdaf917d805cebc1abfd79732f5cacddd2aff

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2877425/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputA
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleOutputCP
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::SetVolumeMountPointA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA

Comments


Avatar
zbet commented on 2024-06-06 18:15:35 UTC

url : hxxps://jtpdev.co.uk/images/8fc809.exe