MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65
SHA3-384 hash: 608590b7a327e87b6bd5c9b4f059674b9cabe9efaa28b18e0a0d25c1a5376602f344395501b4b7238ed9db4c9eb32272
SHA1 hash: 5149fff99b5fef0018f704566908816d838c064c
MD5 hash: 436ec8e845cbb9bcd7098b37be1c0610
humanhash: fanta-winter-august-hot
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'933'824 bytes
First seen:2024-11-01 11:31:31 UTC
Last seen:2024-11-01 13:28:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:hHxYCcMZJv29KMiwObbQZwOU5X1kR/AEFktM:hHxYWPUi7vQHUxgEM
TLSH T15295336E635039B3C6199F3173A3BBB27BF4DC263793815676153138C2A23A374A11B6
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
16
# of downloads :
456
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-01 11:32:53 UTC
Tags:
amadey botnet stealer loader stealc lumma themida telegram
Link:
https://app.any.run/tasks/eee0d4eb-3ae8-4834-99b6-1ea01589752b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.6928.6217.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6724bc3f8d23d904913272f4
Tags:
autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6724bc362734cb737d90f669/reports/0a8bf945-3b90-4887-8e11-5000171e79e4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e04680f1-8e7e-468c-b7a4-371e382d27b3
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1546670
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546670 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 83 thumbystriw.store 2->83 85 presticitpo.store 2->85 87 6 other IPs or domains 2->87 113 Suricata IDS alerts for network traffic 2->113 115 Found malware configuration 2->115 117 Antivirus detection for URL or domain 2->117 119 15 other signatures 2->119 11 axplong.exe 2 19 2->11         started        16 file.exe 5 2->16         started        18 59d7339838.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 95 185.215.113.16, 49956, 49971, 49972 WHOLESALECONNECTIONSNL Portugal 11->95 69 C:\Users\user\AppData\...\59d7339838.exe, PE32 11->69 dropped 71 C:\Users\user\AppData\...\b02ca6c530.exe, PE32 11->71 dropped 73 C:\Users\user\AppData\Local\...\random[1].exe, PE32 11->73 dropped 75 C:\Users\user\AppData\Local\...\random[1].exe, PE32 11->75 dropped 179 Creates multiple autostart registry keys 11->179 181 Hides threads from debuggers 11->181 183 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->183 22 59d7339838.exe 2 11->22         started        27 b02ca6c530.exe 13 11->27         started        77 C:\Users\user\AppData\Local\...\axplong.exe, PE32 16->77 dropped 79 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 16->79 dropped 185 Detected unpacking (changes PE section rights) 16->185 187 Tries to evade debugger and weak emulator (self modifying code) 16->187 189 Tries to detect virtualization through RDTSC time measurements 16->189 191 Potentially malicious time measurement code found 16->191 29 axplong.exe 16->29         started        193 Query firmware table information (likely to detect VMs) 18->193 195 Found many strings related to Crypto-Wallets (likely being stolen) 18->195 197 Tries to steal Crypto Currency Wallets 18->197 199 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->199 file6 signatures7 process8 dnsIp9 91 necklacedmny.store 188.114.96.3, 443, 49978, 49980 CLOUDFLARENETUS European Union 22->91 63 C:\Users\...\WBQBXT7R0KIHGBUKORZPTVE39I.exe, PE32 22->63 dropped 65 C:\Users\user\...\K73CAIXQZ7ROMEX8OQ5J7.exe, PE32 22->65 dropped 137 Antivirus detection for dropped file 22->137 139 Multi AV Scanner detection for dropped file 22->139 141 Detected unpacking (changes PE section rights) 22->141 153 4 other signatures 22->153 31 WBQBXT7R0KIHGBUKORZPTVE39I.exe 22->31         started        35 K73CAIXQZ7ROMEX8OQ5J7.exe 22->35         started        93 185.215.113.206, 49973, 49987, 50010 WHOLESALECONNECTIONSNL Portugal 27->93 143 Machine Learning detection for dropped file 27->143 145 Tries to evade debugger and weak emulator (self modifying code) 27->145 147 Hides threads from debuggers 27->147 149 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->149 151 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 29->151 file10 signatures11 process12 file13 81 C:\Users\user\AppData\Local\...\skotes.exe, PE32 31->81 dropped 97 Antivirus detection for dropped file 31->97 99 Detected unpacking (changes PE section rights) 31->99 101 Machine Learning detection for dropped file 31->101 109 4 other signatures 31->109 37 skotes.exe 31->37         started        103 Multi AV Scanner detection for dropped file 35->103 105 Modifies windows update settings 35->105 107 Disables Windows Defender Tamper protection 35->107 111 2 other signatures 35->111 signatures14 process15 dnsIp16 89 185.215.113.43, 50017, 50022, 50029 WHOLESALECONNECTIONSNL Portugal 37->89 55 C:\Users\user\AppData\...\FontCreator.exe, PE32 37->55 dropped 57 C:\Users\user\AppData\...\7c247f0fb6.exe, PE32 37->57 dropped 59 C:\Users\user\AppData\...\e62942d11f.exe, PE32 37->59 dropped 61 4 other malicious files 37->61 dropped 129 Antivirus detection for dropped file 37->129 131 Detected unpacking (changes PE section rights) 37->131 133 Machine Learning detection for dropped file 37->133 135 6 other signatures 37->135 42 skotes.exe 37->42         started        46 5708637e68.exe 37->46         started        48 e62942d11f.exe 37->48         started        50 2 other processes 37->50 file17 signatures18 process19 file20 67 C:\Users\user\...\BDDBC4BP671F32YA9Q.exe, PE32 42->67 dropped 155 Query firmware table information (likely to detect VMs) 42->155 157 Tries to harvest and steal ftp login credentials 42->157 159 Tries to harvest and steal browser information (history, passwords, etc) 42->159 161 Tries to steal Crypto Currency Wallets 42->161 52 BDDBC4BP671F32YA9Q.exe 42->52         started        163 Antivirus detection for dropped file 46->163 165 Multi AV Scanner detection for dropped file 46->165 167 Detected unpacking (changes PE section rights) 46->167 169 Machine Learning detection for dropped file 48->169 171 Tries to evade debugger and weak emulator (self modifying code) 48->171 173 Hides threads from debuggers 48->173 175 Tries to detect sandboxes / dynamic malware analysis system (registry check) 50->175 177 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 50->177 signatures21 process22 signatures23 121 Multi AV Scanner detection for dropped file 52->121 123 Detected unpacking (changes PE section rights) 52->123 125 Tries to detect sandboxes and other dynamic analysis tools (window names) 52->125 127 5 other signatures 52->127
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-01 11:32:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5aaxd7k3giqg44p62vbmhsxdavjbp5pvsd5prwvbkw2kgyuufzsq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc family:vidar botnet:7c4393 botnet:default_valenciga botnet:fed3aa botnet:tale collection credential_access discovery evasion persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/241101-nvm9jaymbz/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Embeds OpenSSL
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Malware Config
C2 Extraction:
http://185.215.113.16
http://185.215.113.17
http://185.215.113.217
http://185.215.113.206
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api
https://computeryrati.site/api
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/abff79a4-8aae-41b5-8157-68fc28a9d76f
Unpacked files
SH256 hash:
85313d44b8b37a73944552ee482e48cd6c3fa0850add8d442017612b2cd59186
MD5 hash:
c12b10e6a6ecf19d60b312daf3d4d3d4
SHA1 hash:
93eb63f80a9e7b93d81b9cd897553682f914f4a8
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/3cfad5d1-e830-457b-a71a-bc70f4da7f61/
SH256 hash:
e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65
MD5 hash:
436ec8e845cbb9bcd7098b37be1c0610
SHA1 hash:
5149fff99b5fef0018f704566908816d838c064c
Link:
https://www.unpac.me/results/3cfad5d1-e830-457b-a71a-bc70f4da7f61/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e80171fd5b32/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e80171fd5b32206e71fed542c3cae3055217f5f590faf8daa155b4a362942e65

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067427/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments