MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f
SHA3-384 hash: cd59fc6835e9d241edaaca1a835c32e5210a478cf0315e41f284e134154aab640990400736852812e5dd7d4dc566fa3e
SHA1 hash: 5a5d36bbc250c8b97daee6b8a2a84a5ffe67bf88
MD5 hash: 1e9b6495559bd70be253985543058dc7
humanhash: vegan-diet-six-papa
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'887'744 bytes
First seen:2024-10-31 04:00:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:Fo8plEpuroaxvtSxi4+Wf5573kSWnIa+XKys:Fg51xZ+q55TI3+9s
TLSH T1689533863556A9E3CD1E817B1E21E50832B062DE01F6A60ABA8CF4557F179CC77C38BD
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/soka/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
480
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-31 04:03:12 UTC
Tags:
amadey botnet stealer loader evasion whitesnake stealc lumma exfiltration themida
Link:
https://app.any.run/tasks/24540ac0-39e0-4b9b-a4fa-f1084f05c5e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672301048d23d904913220e3
Tags:
vmdetect autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/672300ff2734cb737d9060e8/reports/321657bc-197c-44f1-bca6-9bfd7d838400/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cda76985-d033-4e19-b6d3-76c0a91f8dfc
Result
Threat name:
PureCrypter, LummaC, Amadey, LummaC Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1545821
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Yara detected WhiteSnake Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545821 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 111 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 2->111 113 thumbystriw.store 2->113 115 23 other IPs or domains 2->115 143 Suricata IDS alerts for network traffic 2->143 145 Found malware configuration 2->145 147 Antivirus detection for URL or domain 2->147 149 21 other signatures 2->149 10 axplong.exe 2 22 2->10         started        15 file.exe 5 2->15         started        17 62dceeab4d.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 133 185.215.113.16, 58379, 58380, 58383 WHOLESALECONNECTIONSNL Portugal 10->133 99 C:\Users\user\AppData\...\62dceeab4d.exe, PE32 10->99 dropped 101 C:\Users\user\AppData\...\f99547c8e6.exe, PE32 10->101 dropped 103 C:\Users\user\AppData\Local\...\Final.exe, PE32 10->103 dropped 109 3 other malicious files 10->109 dropped 211 Creates multiple autostart registry keys 10->211 213 Hides threads from debuggers 10->213 215 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->215 21 62dceeab4d.exe 10->21         started        26 f99547c8e6.exe 10->26         started        28 Final.exe 3 10->28         started        105 C:\Users\user\AppData\Local\...\axplong.exe, PE32 15->105 dropped 107 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 15->107 dropped 217 Detected unpacking (changes PE section rights) 15->217 219 Tries to evade debugger and weak emulator (self modifying code) 15->219 221 Tries to detect virtualization through RDTSC time measurements 15->221 30 axplong.exe 15->30         started        223 Query firmware table information (likely to detect VMs) 17->223 225 Tries to harvest and steal ftp login credentials 17->225 227 Tries to harvest and steal browser information (history, passwords, etc) 17->227 229 Detected PureCrypter Trojan 17->229 231 Tries to steal Crypto Currency Wallets 19->231 233 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->233 32 msedge.exe 19->32         started        34 msedge.exe 19->34         started        36 msedge.exe 19->36         started        38 msedge.exe 19->38         started        file6 signatures7 process8 dnsIp9 117 necklacedmny.store 188.114.96.3 CLOUDFLARENETUS European Union 21->117 83 C:\Users\user\...\VGX14DCMPTTJ4O2LPZ4N.exe, PE32 21->83 dropped 85 C:\Users\...\V30AHCO282KY2KV83OC4RNYNX.exe, PE32 21->85 dropped 163 Multi AV Scanner detection for dropped file 21->163 165 Detected unpacking (changes PE section rights) 21->165 167 Query firmware table information (likely to detect VMs) 21->167 181 5 other signatures 21->181 40 V30AHCO282KY2KV83OC4RNYNX.exe 21->40         started        44 VGX14DCMPTTJ4O2LPZ4N.exe 21->44         started        119 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 26->119 121 127.0.0.1 unknown unknown 26->121 87 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->87 dropped 89 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->89 dropped 91 C:\Users\user\AppData\...\mozglue[1].dll, PE32 26->91 dropped 95 10 other files (2 malicious) 26->95 dropped 169 Tries to steal Mail credentials (via file / registry access) 26->169 171 Found many strings related to Crypto-Wallets (likely being stolen) 26->171 173 Tries to harvest and steal ftp login credentials 26->173 183 2 other signatures 26->183 46 chrome.exe 26->46         started        49 msedge.exe 26->49         started        93 C:\Users\user\AppData\Local\Temp\build.exe, PE32 28->93 dropped 51 build.exe 14 6 28->51         started        175 Tries to evade debugger and weak emulator (self modifying code) 30->175 177 Hides threads from debuggers 30->177 179 Potentially malicious time measurement code found 30->179 123 23.55.178.220 NTT-COMMUNICATIONS-2914US United States 32->123 125 13.107.246.57 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->125 127 21 other IPs or domains 32->127 file10 signatures11 process12 dnsIp13 97 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->97 dropped 185 Detected unpacking (changes PE section rights) 40->185 187 Tries to evade debugger and weak emulator (self modifying code) 40->187 189 Hides threads from debuggers 40->189 207 2 other signatures 40->207 53 skotes.exe 40->53         started        191 Modifies windows update settings 44->191 193 Disables Windows Defender Tamper protection 44->193 195 Disable Windows Defender notifications (registry) 44->195 197 Disable Windows Defender real time protection (registry) 44->197 135 192.168.2.5, 443, 49703, 49704 unknown unknown 46->135 137 239.255.255.250 unknown Reserved 46->137 56 chrome.exe 46->56         started        59 chrome.exe 46->59         started        199 Monitors registry run keys for changes 49->199 61 msedge.exe 49->61         started        139 41.216.183.9, 58382, 8080 AS40676US South Africa 51->139 141 ip-api.com 208.95.112.1, 58381, 80 TUT-ASUS United States 51->141 201 Multi AV Scanner detection for dropped file 51->201 203 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->203 205 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->205 209 4 other signatures 51->209 63 cmd.exe 1 51->63         started        65 cmd.exe 51->65         started        file14 signatures15 process16 dnsIp17 151 Detected unpacking (changes PE section rights) 53->151 153 Tries to evade debugger and weak emulator (self modifying code) 53->153 155 Hides threads from debuggers 53->155 161 2 other signatures 53->161 129 www.google.com 142.250.185.100 GOOGLEUS United States 56->129 131 216.58.206.36 GOOGLEUS United States 59->131 157 Uses netsh to modify the Windows network and firewall settings 63->157 159 Tries to harvest and steal WLAN passwords 63->159 67 netsh.exe 2 63->67         started        69 conhost.exe 63->69         started        71 chcp.com 1 63->71         started        73 findstr.exe 63->73         started        75 conhost.exe 65->75         started        77 chcp.com 65->77         started        79 netsh.exe 65->79         started        81 findstr.exe 65->81         started        signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-31 04:01:12 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 38 (57.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wuyzn3am7txkquxswzwcdgpmitdsxch6dnbp4ihdavwc5a4repq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:fed3aa botnet:tale collection discovery evasion persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/241031-ek8caazblc/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.16
http://185.215.113.206
https://computeryrati.site/api
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Malicious
Tags:
amadey
YARA:
n/a
Link:
https://app.threat.zone/submission/79d5170d-ffc1-4dc7-92b4-fae5e985323e
Unpacked files
SH256 hash:
90aa4493c7363095d3d428d34c5b4d0270f1d795a0d9935c3055623cd88f7206
MD5 hash:
afa323756e2cf301b0edb424453b0741
SHA1 hash:
f50af9dcff80b8ab2c6bad76a8375b8f6187f5ee
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/30b7af19-00f1-4f3b-9a8c-9bd5139ff45e/
SH256 hash:
eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f
MD5 hash:
1e9b6495559bd70be253985543058dc7
SHA1 hash:
5a5d36bbc250c8b97daee6b8a2a84a5ffe67bf88
Link:
https://www.unpac.me/results/30b7af19-00f1-4f3b-9a8c-9bd5139ff45e/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eda98cb76067/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments