MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787
SHA3-384 hash: e6859d906910af37f8189e0df553a2d2c531eea0037f8441772d77d1bfcc6852987d3bb8d6ffe725b7350c9669abc3ed
SHA1 hash: 1462b225e40ce72df31075d9ca920a356818fe3c
MD5 hash: 77b69071ccc75e75a48ea59d48a55a30
humanhash: freddie-table-nineteen-skylark
File name:77b69071ccc75e75a48ea59d48a55a30
Download: download sample
Signature Amadey
Create hunting rule
File size:1'889'792 bytes
First seen:2024-10-07 01:20:42 UTC
Last seen:2024-10-07 02:28:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:dgx2kOoNM8s9iuz17ZfuA37h94+JqDn9KuOVZ+YuF1:dgWoS8GFZp3V94bj9leZ+3
TLSH T1AC9533CC966514D6DD43A438CAACC68897F0D4E837FDBB1614BF1CBE460B83996B6131
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
434
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
77b69071ccc75e75a48ea59d48a55a30
Verdict:
Malicious activity
Analysis date:
2024-10-07 01:23:58 UTC
Tags:
amadey botnet stealer opendir loader stealc themida lumma autoit
Link:
https://app.any.run/tasks/7fa130e7-e846-459c-937b-3934361b0ed3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.5743.31839.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67033780b932c04ee8fdac8a
Tags:
Vmdetect Autorun Autoit Spam
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6703377e67d837505d784134/reports/21df92b3-3434-4987-b4ae-fd64d39e0593/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NtHack
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/285560ee-972f-42f5-848b-a551308c946d
Result
Threat name:
LummaC, Amadey, Credential Flusher, Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1527565
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Excessive usage of taskkill to terminate processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527565 Sample: 8ObkdHP9Hq.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 90 sergei-esenin.com 2->90 92 licendfilteo.site 2->92 94 8 other IPs or domains 2->94 116 Multi AV Scanner detection for domain / URL 2->116 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 18 other signatures 2->122 9 skotes.exe 3 22 2->9         started        14 8ObkdHP9Hq.exe 5 2->14         started        16 84d280a9e8.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 106 185.215.113.43, 49788, 49804, 49836 WHOLESALECONNECTIONSNL Portugal 9->106 108 185.215.113.103, 49810, 49842, 49879 WHOLESALECONNECTIONSNL Portugal 9->108 78 C:\Users\user\AppData\...\9d7da53f74.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\...\84d280a9e8.exe, PE32 9->82 dropped 88 3 other malicious files 9->88 dropped 150 Creates multiple autostart registry keys 9->150 152 Hides threads from debuggers 9->152 154 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->154 20 9d7da53f74.exe 9->20         started        24 84d280a9e8.exe 9->24         started        26 num.exe 13 9->26         started        84 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->84 dropped 86 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->86 dropped 156 Detected unpacking (changes PE section rights) 14->156 158 Tries to evade debugger and weak emulator (self modifying code) 14->158 160 Tries to detect virtualization through RDTSC time measurements 14->160 28 skotes.exe 14->28         started        162 Binary is likely a compiled AutoIt script file 16->162 164 Excessive usage of taskkill to terminate processes 16->164 30 taskkill.exe 16->30         started        32 taskkill.exe 16->32         started        34 taskkill.exe 16->34         started        38 20 other processes 16->38 166 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->166 36 taskkill.exe 18->36         started        file6 signatures7 process8 dnsIp9 96 sergei-esenin.com 104.21.53.8, 443, 61043, 61190 CLOUDFLARENETUS United States 20->96 98 steamcommunity.com 104.102.49.254, 443, 61026, 61176 AKAMAI-ASUS United States 20->98 124 Antivirus detection for dropped file 20->124 126 Multi AV Scanner detection for dropped file 20->126 128 Detected unpacking (changes PE section rights) 20->128 148 3 other signatures 20->148 130 Binary is likely a compiled AutoIt script file 24->130 132 Found API chain indicative of sandbox detection 24->132 134 Excessive usage of taskkill to terminate processes 24->134 40 chrome.exe 24->40         started        43 taskkill.exe 1 24->43         started        45 taskkill.exe 1 24->45         started        55 3 other processes 24->55 100 185.215.113.37, 49854, 61131, 61184 WHOLESALECONNECTIONSNL Portugal 26->100 136 Found evasive API chain (may stop execution after checking locale) 26->136 138 Searches for specific processes (likely to inject) 26->138 140 Machine Learning detection for dropped file 28->140 142 Tries to evade debugger and weak emulator (self modifying code) 28->142 144 Hides threads from debuggers 28->144 146 Potentially malicious time measurement code found 28->146 47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        51 conhost.exe 34->51         started        53 conhost.exe 36->53         started        57 20 other processes 38->57 signatures10 process11 dnsIp12 102 192.168.2.4, 138, 443, 49186 unknown unknown 40->102 104 239.255.255.250 unknown Reserved 40->104 59 chrome.exe 40->59         started        62 chrome.exe 40->62         started        64 chrome.exe 40->64         started        76 4 other processes 40->76 66 conhost.exe 43->66         started        68 conhost.exe 45->68         started        70 conhost.exe 55->70         started        72 conhost.exe 55->72         started        74 conhost.exe 55->74         started        process13 dnsIp14 110 youtube-ui.l.google.com 142.250.181.238, 443, 49860 GOOGLEUS United States 59->110 112 www.google.com 142.250.184.228, 443, 49886 GOOGLEUS United States 59->112 114 5 other IPs or domains 59->114
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 01:21:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47osqxoj6k5idalee65tu34qmro6wc4ngrws5w4b5eudug6366dq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:9c9aa5 botnet:doma discovery evasion persistence stealer trojan
Link:
https://tria.ge/reports/241007-bqnchs1crb/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Lumma Stealer, LummaC
Stealc
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.37
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2d48d1a-5097-48ac-9c29-a91cdb61335f
Unpacked files
SH256 hash:
61a88ab893891a49f4b6e9c9fa2c31ff131f626f174deb4dcc8da464c30e6f7e
MD5 hash:
dc1fe3672c15344d92469cfd044eda92
SHA1 hash:
8c86f87ecec20f18fbe18412c83b04f5981f53ef
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/30e8c248-0f05-42fe-9239-14eb57baeecb/
SH256 hash:
e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787
MD5 hash:
77b69071ccc75e75a48ea59d48a55a30
SHA1 hash:
1462b225e40ce72df31075d9ca920a356818fe3c
Link:
https://www.unpac.me/results/30e8c248-0f05-42fe-9239-14eb57baeecb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7dd285dc9f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e7dd285dc9f2ba81816427bb3a6f90645deb0b8d346d2edb81e9283a1bdbf787

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3184067/
  
URLhaus
https://urlhaus.abuse.ch/url/3182947/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-10-07 01:20:42 UTC

url : hxxp://185.215.113.103/mine/random.exe