MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e70a8d5fe537aa2f7bb4d014ee5c35a9c169adab64c4e034d9badd8e8641f26b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e70a8d5fe537aa2f7bb4d014ee5c35a9c169adab64c4e034d9badd8e8641f26b
SHA3-384 hash: ec60c4715a4a6997d9a56fdaf0004a27887cc4861d79c577f0a34e3ab705153530141155994c16e67edf0c86e372b5e7
SHA1 hash: 998ff60d9810eb0a3a3ffef6f29f38543b4eb927
MD5 hash: c730063f167122d2a9721c4e3eff5d5c
humanhash: item-charlie-ten-jupiter
File name:c730063f167122d2a9721c4e3eff5d5c.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:227'840 bytes
First seen:2022-01-08 10:05:58 UTC
Last seen:2022-01-08 11:43:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b56eb425bb7dbd4f686b84bebc7ef49 (6 x Amadey)
ssdeep 6144:nJKIz1xzlrYREPxIvD7cMs3LssdLWvuysg/:nhVhxIvvvsLTdLWvuys
Threatray 1'422 similar samples on MalwareBazaar
TLSH T1FD2419643916C032D660A1B219F57FF6C19DAD15ABB149EF2B800EB7D6212F37930E39
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://185.215.113.47/Gv93xs2Nz/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.47/Gv93xs2Nz/index.php https://threatfox.abuse.ch/ioc/291929/

Intelligence

File Origin
# of uploads :
2
# of downloads :
610
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c730063f167122d2a9721c4e3eff5d5c.exe
Verdict:
Malicious activity
Analysis date:
2022-01-08 10:08:02 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/a29ba26b-7858-4ac0-af7c-6f42e3631458

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217808/
Detection(s):
SecuriteInfo.com.Variant.Zusy.398750.21490.25653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Adding an access-denied ACE
Creating a window
Delayed reading of the file
DNS request
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3853/overview
Behaviour
MalwareBazaar
CheckUsername
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware rundll32.exe shell32.dll zusy
Link:
https://www.filescan.io/uploads/61d9621002e388f9fdb5fcb8/reports/785d4a97-54d5-45c3-a4d2-eb361eaafaf5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9798eeb0-b269-4f9a-ae34-b3c110f0035d
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917123
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549601 Sample: 9GvmOHiG9U.exe Startdate: 08/01/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 7 other signatures 2->65 8 9GvmOHiG9U.exe 4 2->8         started        12 tkools.exe 2->12         started        14 tkools.exe 2->14         started        16 tkools.exe 2->16         started        process3 file4 53 C:\Users\user\AppData\Local\...\tkools.exe, PE32 8->53 dropped 75 Contains functionality to inject code into remote processes 8->75 18 tkools.exe 14 8->18         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        26 2 other processes 8->26 signatures5 process6 dnsIp7 55 185.215.113.47, 49766, 49767, 49768 WHOLESALECONNECTIONSNL Portugal 18->55 57 192.168.2.1 unknown unknown 18->57 67 Antivirus detection for dropped file 18->67 69 Multi AV Scanner detection for dropped file 18->69 71 Machine Learning detection for dropped file 18->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 18->73 28 cmd.exe 1 18->28         started        30 schtasks.exe 1 18->30         started        32 conhost.exe 22->32         started        40 2 other processes 22->40 34 conhost.exe 24->34         started        42 2 other processes 24->42 36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        44 2 other processes 26->44 signatures8 process9 process10 46 reg.exe 1 28->46         started        49 conhost.exe 28->49         started        51 conhost.exe 30->51         started        signatures11 77 Creates an undocumented autostart registry key 46->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e70a8d5fe537aa2f7bb4d014ee5c35a9c169adab64c4e034d9badd8e8641f26b/
Threat name:
Win32.Downloader.Deyma
Create hunting rule
Status:
Malicious
First seen:
2022-01-04 07:14:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 43 (65.12%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=44fi2x7fg6vc665u2ako4xbvvhawtlnlmtcoangzxloy5bsb6jvq._file
Verdict:
malicious
Similar samples:
2dfc078c3658a63016fd846cc735c0d5c359b6639cb89ae08ccc9a19fb3e5df3
Amadey
314259cc43c8619b5f8e1ec548b34b64d6b8084342cdd6d8a970718c2d791da8
Amadey
41df984882b7cb539f1bcc03433f60e2bd7a0313b1e05bda78338d9176d6996b
Amadey
6dd4d7a668ac56bb6e71090d32a522e77c885e540758ed08ac03d702b02f26dd
Amadey
88019b018015f33c8ca9290a531027e90eae517f6b590fb1711de81ff222ed98
Amadey
ae275aba1d935bd3045e9cd3f258b72636e6759506e183423341a992faf47f80
Amadey
d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
Amadey
f6cb90f76c5ba8a4482c8405f744103f898b7d1920c569b74fb22dd9bea7d2a4
Amadey
+ 1'412 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey suricata trojan
Link:
https://tria.ge/reports/220108-l43pgadchr/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Amadey
suricata: ET MALWARE Amadey CnC Check-In
Malware Config
C2 Extraction:
185.215.113.47/Gv93xs2Nz/index.php
Unpacked files
SH256 hash:
e70a8d5fe537aa2f7bb4d014ee5c35a9c169adab64c4e034d9badd8e8641f26b
MD5 hash:
c730063f167122d2a9721c4e3eff5d5c
SHA1 hash:
998ff60d9810eb0a3a3ffef6f29f38543b4eb927
Link:
https://www.unpac.me/results/cfd749de-dc5b-48cc-8a71-eb77e49fdc32/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e70a8d5fe537/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e70a8d5fe537aa2f7bb4d014ee5c35a9c169adab64c4e034d9badd8e8641f26b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217808/

Comments