MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea
SHA3-384 hash: c51709426aae18bf5387e46e91474a0aa8810f6197f6de5ccefe99e589699acae25ad78df88414ff89c93883257e00c3
SHA1 hash: 7cf7ec0a6484bde3b23b14f1e0dddaa423530b5c
MD5 hash: f67e91ea39ec8ae219cbd761d17329b7
humanhash: tango-hawaii-oscar-fourteen
File name:SecuriteInfo.com.Trojan.Siggen29.34801.26177.26344
Download: download sample
Signature Amadey
Create hunting rule
File size:514'560 bytes
First seen:2024-09-15 17:25:30 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 6144:X2c8dZ2n5R76wK5QEDQUFMyLQDJtk+JKN7n7F9VDLuOsAXcMatgiy6Rf4ZqS6ceP:N8qnf7g5zFMyQijtFvWAXwty6yickd
TLSH T179B45B658B899646D6310F3302579B20E3F3B89EC362172A3E3ED9609D57BF16F8214D
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:Amadey dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen29.34801.26177.26344.UNOFFICIAL
Create hunting rule

MiscreantPunch.SingleXOR.EXE.232.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e718d471e91b3281ba0023
Tags:
Generic Msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/66e718c13c9389b729b839b6/reports/360aca3c-6e7e-4f5e-8152-db4ecf62ddb8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77a6c933-83f2-4180-b0c6-bae4ee42bcd3
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1511556
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1511556 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 15/09/2024 Architecture: WINDOWS Score: 64 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Machine Learning detection for sample 2->19 21 AI detected suspicious sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
20%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-09-01 13:45:28 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vst26mqcz76ibzjqtxav6nykr5gl74tdfclans7vstsnyhd23va._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240915-vzx3vsvala/
Unpacked files
SH256 hash:
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
MD5 hash:
ced97d60021d4a0bfa03ee14ec384c12
SHA1 hash:
7af327df2a2d1e0e09034c2bdf6a47f788cec4e4
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/cc066a66-ad21-4fcc-af0b-fec8f9c98b0d/
Parent samples :
ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea
SH256 hash:
6f407dc72bb9c01bdef4b9e221332def7d8797bf6664846cd7b1230c9d74a59a
MD5 hash:
447459c6eb95d9cdfd693927d1ef4de4
SHA1 hash:
e595aeef4667ae4a3bf8e86ebff89566d9c6bc53
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/cc066a66-ad21-4fcc-af0b-fec8f9c98b0d/
SH256 hash:
e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea
MD5 hash:
f67e91ea39ec8ae219cbd761d17329b7
SHA1 hash:
7cf7ec0a6484bde3b23b14f1e0dddaa423530b5c
Detections:
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Link:
https://www.unpac.me/results/cc066a66-ad21-4fcc-af0b-fec8f9c98b0d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

DLL dll e5653d7990167fe4072984ee0af9b8547a65ff931944b0365faca726e0e3d6ea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3174559/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3174602/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments