MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5
SHA3-384 hash: 0321b7cd9c892fe75173b39f3b2fb8fe283da6e74fbc5076fa927ec0579f248da14e4190897213a45b72d2ba5f03280b
SHA1 hash: 434ddb620a9050e59e5ec225d3d95f51a5d43ac8
MD5 hash: 85aaa4455d228631e2232f7ac5e2ef3c
humanhash: zulu-black-item-sixteen
File name:SecuriteInfo.com.Win32.BotX-gen.31536.22198
Download: download sample
Signature Amadey
Create hunting rule
File size:909'176 bytes
First seen:2023-11-08 11:20:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f7089f5461ebd9f31ea39037a66cb292 (1 x Amadey)
ssdeep 24576:d1sARNjFn9Q+yi/PWaHOCt7HmK091X1A69:djj1O/N+7HyTA6
Threatray 19 similar samples on MalwareBazaar
TLSH T14915CF36B1B18032D06717795D0FA7BCA4267E002DDBD877AAE56F0C1F2D290776A287
TrID 28.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
26.2% (.SCR) Windows screen saver (13097/50/3)
20.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
9.0% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.BotX-gen.31536.22198
Verdict:
Malicious activity
Analysis date:
2023-11-08 11:23:47 UTC
Tags:
amadey botnet stealer phishing loader
Link:
https://app.any.run/tasks/5a3b2802-98b5-405d-b242-25236918f662

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.31536.22198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a process with a hidden window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware keylogger lolbin overlay packed replace shell32
Link:
https://www.filescan.io/uploads/654b6f32993fbf888b6a1d96/reports/94872724-8668-4754-b5c0-88de48b2d754/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f80cd5e-2174-45a3-b8ff-bfdc425c41e6
Result
Threat name:
Amadey, CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338976
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Posts data to a JPG file (protocol mismatch)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338976 Sample: SecuriteInfo.com.Win32.BotX... Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 41 021yu3rh023u90fu92j9-03jf.xyz 2->41 43 www.021yu3rh023u90fu92j9-03jf.xyz 2->43 45 2 other IPs or domains 2->45 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 61 10 other signatures 2->61 8 SecuriteInfo.com.Win32.BotX-gen.31536.22198.exe 5 2->8         started        signatures3 59 Performs DNS queries to domains with low reputation 41->59 process4 file5 31 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 8->31 dropped 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Contains functionality to inject code into remote processes 8->67 12 Utsysc.exe 8->12         started        17 WerFault.exe 16 8->17         started        19 WerFault.exe 16 8->19         started        21 9 other processes 8->21 signatures6 process7 dnsIp8 47 021yu3rh023u90fu92j9-03jf.xyz 192.64.119.156, 49714, 49718, 80 NAMECHEAP-NETUS United States 12->47 49 0-9u210edu12j-dj-1.xyz 77.91.76.7, 49715, 49716, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 12->49 51 parkingpage.namecheap.com 91.195.240.19, 49717, 49719, 80 SEDO-ASDE Germany 12->51 33 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 12->33 dropped 35 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 12->37 dropped 39 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 12->39 dropped 69 Multi AV Scanner detection for dropped file 12->69 71 Creates an undocumented autostart registry key 12->71 23 WerFault.exe 12->23         started        25 WerFault.exe 12->25         started        27 WerFault.exe 12->27         started        29 2 other processes 12->29 file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 09:07:02 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gu3uxlu4npjdxgue5quovypi7yim3o4zmg57nwchlnorvmsuhsq._file
Verdict:
malicious
Similar samples:
19f0386456060982bf9880a31c55022371ea3825c10f5ecca1310c8219ed738c
Amadey
1ab121c22361884aa13cc654a4e79a6e70240d3ef60bc1e660aeef7bde168aa3
Amadey
2e27c7e69d9afab19b7a0f07b189c1e30764ebc849b116230ba39f72f6b09b39
Amadey
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
Amadey
a36008ccf756f876e0147de16b44cc7f98671217909435fe5c686f978259b85c
Amadey
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374
Amadey
+ 9 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey spyware stealer trojan
Link:
https://tria.ge/reports/231108-nfzn1sbg76/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
Unpacked files
SH256 hash:
816b70872c682f8bad55df6395e55195fb80583265e01b95182ddc39f7517d70
MD5 hash:
0095c0d37930541ec2312bb5435b3590
SHA1 hash:
5d01a09dfbbc7138cdf4728e60b056b2d99c67e1
Detections:
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/1f695726-13c0-4c1d-aa2f-f68d850e1474/
SH256 hash:
e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5
MD5 hash:
85aaa4455d228631e2232f7ac5e2ef3c
SHA1 hash:
434ddb620a9050e59e5ec225d3d95f51a5d43ac8
Link:
https://www.unpac.me/results/1f695726-13c0-4c1d-aa2f-f68d850e1474/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.amadey.
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe e9a9ba5d74e35e91dcd4276147570f47f0866ddccb0ddfb6c23adae8d592a1e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2728898/
  
Delivery method
Distributed via web download

Comments