MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe
SHA3-384 hash: 981bf5ddd94242cdecc435ead6c2ae16b94ddaf059ce13384db5098f1489e19d914ceed27834d70992403842349eb75e
SHA1 hash: 58d4cda42858beae2cabc81b3431662a1706c169
MD5 hash: ee25cc3a8bfe7ca957ceabba93532f98
humanhash: alaska-lactose-summer-lactose
File name:PAGO_EN_TOTALIDAD_300920209857512014789653202356985868320175948756230159865230214758968574210236582141.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:874'747 bytes
First seen:2020-10-02 07:25:01 UTC
Last seen:2020-10-02 07:54:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf6171d5e900bf93e668170d1a189f34 (4 x CryptBot, 1 x Amadey, 1 x RedLineStealer)
ssdeep 24576:o3gjawsPaWQ1pBuP6TzlLWrdSAD/cUB0+GzUDyi:ogjsf6pEP6TzVWrlD/cUBPGzUei
Threatray 103 similar samples on MalwareBazaar
TLSH 9C1522023BF540BAD9A3263118C57B38C975EAB50B2886CB775815074F4A3D6DB3A32F
Reporter JAMESWT_WT
Tags:Amadey

Code Signing Certificate

Organisation:DECIPHER MEDIA LLC
Issuer:COMODO RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 30 00:00:00 2018 GMT
Valid to:Oct 29 23:59:59 2021 GMT
Serial number: BCE1D49FF444D032BA3DDA6394A311E9
Thumbprint Algorithm:SHA256
Thumbprint: E9A9EF5DFCA4D2E720E86443C6D491175F0E329AB109141E6E2EE4F0E33F2E38
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
803
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67636/
Detection(s):
PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Enabling autorun by creating a file
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/479986
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292433 Sample: 36582141.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Antivirus detection for URL or domain 2->95 97 10 other signatures 2->97 12 36582141.exe 7 2->12         started        15 wscript.exe 2->15         started        process3 signatures4 119 Contains functionality to register a low level keyboard hook 12->119 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        process5 signatures6 22 cmd.exe 2 17->22         started        26 conhost.exe 17->26         started        111 Drops PE files with a suspicious file extension 19->111 28 conhost.exe 19->28         started        process7 file8 63 C:\Users\user\AppData\Local\...\lsass.com, PE32 22->63 dropped 113 Uses ping.exe to sleep 22->113 30 lsass.com 22->30         started        33 PING.EXE 1 22->33         started        36 PING.EXE 1 22->36         started        38 certutil.exe 2 22->38         started        signatures9 process10 dnsIp11 121 Multi AV Scanner detection for dropped file 30->121 123 Drops PE files with a suspicious file extension 30->123 40 lsass.com 7 30->40         started        79 127.0.0.1 unknown unknown 33->79 81 192.168.2.1 unknown unknown 33->81 83 vAyrJy.woJRtj 36->83 signatures12 process13 dnsIp14 87 sTPQPeh.sTPQPeh 40->87 65 C:\Users\user\AppData\Roaming\...\file.com, PE32 40->65 dropped 67 C:\Users\user\AppData\Local\...\attrib.exe, PE32 40->67 dropped 69 C:\Users\user\AppData\Roaming\...\file.url, MS 40->69 dropped 115 Writes to foreign memory regions 40->115 117 Maps a DLL or memory area into another process 40->117 45 attrib.exe 17 40->45         started        file15 signatures16 process17 dnsIp18 89 217.8.117.76, 49740, 49741, 49742 CREXFEXPEX-RUSSIARU Russian Federation 45->89 71 C:\Users\user\AppData\Local\Temp\scr.dll, PE32 45->71 dropped 73 C:\Users\user\AppData\Local\Temp\cred.dll, PE32 45->73 dropped 75 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 45->75 dropped 77 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 45->77 dropped 49 rundll32.exe 45->49         started        53 reg.exe 1 1 45->53         started        55 reg.exe 1 1 45->55         started        57 rundll32.exe 45->57         started        file19 process20 dnsIp21 85 192.168.2.5, 443, 49673, 49674 unknown unknown 49->85 99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->99 101 Tries to steal Instant Messenger accounts or passwords 49->101 103 Tries to steal Mail credentials (via file access) 49->103 105 Tries to harvest and steal ftp login credentials 49->105 107 Creates multiple autostart registry keys 53->107 59 conhost.exe 53->59         started        61 conhost.exe 55->61         started        109 System process connects to network (likely due to code injection or exploit) 57->109 signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 05:26:55 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5h5kpxhi2rut5pxs5h2h2oxusyzdxcd6o4z6hdwkjzaksn6ndx7a._file
Verdict:
malicious
Similar samples:
0d8a2a7eda083b02daf9ee062fbb5c1c57d689916992e4343f69103069a81fd9
Amadey
0fc5adafd96fb918ffa0e93b274acede778eab5c614ba796a0879aababcecb0b
Amadey
2701e092e550bb607c9305ba4478e2b115664a1c985b14c99fb745ce56f53e51
Amadey
31bf182341f1e38cf27521e4d101224cab39ddb08e2c40edf22a3e9286a1310a
Amadey
430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183
Amadey
4628e3a640d67d1cf95faa83c2c018ade658bba77aa88aaf04ac1397875bf693
Amadey
80f19d58d6c1cf1f362bbef6ceec409de0efb225dbf78b729e773f63b08255e2
Amadey
8259e62a579d22447194b6138cf8a600681ac44c82c8a13508c6fb4217eb065b
Amadey
b0492ee53bdfcde8453259a3f9e63ae29a11ef277afa0cd4ad1339e873f61af0
Amadey
c2d759d5e844e35914f07c0ece1627c824c7a05f0addafbf45a80f595f7b49e4
Amadey
+ 93 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201002-b2lftza252/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe
MD5 hash:
ee25cc3a8bfe7ca957ceabba93532f98
SHA1 hash:
58d4cda42858beae2cabc81b3431662a1706c169
Link:
https://www.unpac.me/results/42bb101e-9bb6-4291-9b57-4896e02dc613/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamaredon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67636/

Comments