MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
SHA3-384 hash: 56edc3a941b3cb3476693513a752b6285adb53137d13ab287dcc59e59cefefa2802a27b19a328940843d27bd8fb2a540
SHA1 hash: 275e8cb6734e4cadafd6648188ef906e5a096940
MD5 hash: 5a54de0db43a7512621f0bf10f1c463a
humanhash: sink-robert-cardinal-river
File name:SecuriteInfo.com.Trojan.MulDropNET.43.26325.8374
Download: download sample
Signature Amadey
Create hunting rule
File size:489'472 bytes
First seen:2023-08-22 21:29:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep 12288:0kTSlFW78BJRhCiPVdBK7NAuFH4f5rF5H2:0PO8BLhdVdc7X2fd2
Threatray 44 similar samples on MalwareBazaar
TLSH T11BA49B3A15F44257F2C115B8BFF04B972E29F4228A917E9EC14442961E53FBCF96838B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.MulDropNET.43.26325.8374
Verdict:
Malicious activity
Analysis date:
2023-08-22 21:31:56 UTC
Tags:
amadey trojan kelihos loader smoke miner
Link:
https://app.any.run/tasks/7ad0e3c5-1617-437f-8cbb-700e40026cee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444235/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.26325.8374.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm masquerade packed
Link:
https://www.filescan.io/uploads/64e528dc2a89064e55970575/reports/5122f510-85b7-412f-a963-e90030063735/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df72cc40-d26d-4415-8788-5b8306007363
Result
Threat name:
Amadey, Glupteba, LummaC Stealer, SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1295539
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1295539 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 22/08/2023 Architecture: WINDOWS Score: 100 122 xmr-eu1.nanopool.org 2->122 124 server8.mastiakele.xyz 2->124 126 pastebin.com 2->126 140 Snort IDS alert for network traffic 2->140 142 Found malware configuration 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 19 other signatures 2->146 12 SecuriteInfo.com.Trojan.MulDropNET.43.26325.8374.exe 4 2->12         started        16 jrsvedb 2->16         started        18 oneetx.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 102 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 12->102 dropped 104 C:\Users\user\AppData\Local\...\4dfa4bad.exe, PE32 12->104 dropped 192 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->192 22 newplayer.exe 3 12->22         started        26 4dfa4bad.exe 12->26         started        194 Detected unpacking (changes PE section rights) 16->194 196 Machine Learning detection for dropped file 16->196 198 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->198 200 3 other signatures 16->200 signatures6 process7 file8 96 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 22->96 dropped 176 Antivirus detection for dropped file 22->176 178 Multi AV Scanner detection for dropped file 22->178 180 Machine Learning detection for dropped file 22->180 182 Contains functionality to inject code into remote processes 22->182 28 oneetx.exe 22 22->28         started        184 Detected unpacking (changes PE section rights) 26->184 186 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->186 188 Maps a DLL or memory area into another process 26->188 190 2 other signatures 26->190 33 explorer.exe 26->33 injected signatures9 process10 dnsIp11 128 5.42.65.80, 49720, 49722, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 28->128 130 45.9.74.80, 49719, 49721, 49723 FIRST-SERVER-EU-ASRU Russian Federation 28->130 132 79.137.192.18, 49724, 80 PSKSET-ASRU Russian Federation 28->132 106 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 28->106 dropped 108 C:\Users\user\AppData\Local\...\datacas.exe, PE32 28->108 dropped 110 C:\Users\user\AppData\...\repairtool.exe, PE32 28->110 dropped 118 3 other malicious files 28->118 dropped 202 Antivirus detection for dropped file 28->202 204 Multi AV Scanner detection for dropped file 28->204 206 Creates an undocumented autostart registry key 28->206 214 2 other signatures 28->214 35 datacas.exe 13 28->35         started        38 latestX.exe 28->38         started        41 repairtool.exe 28->41         started        51 2 other processes 28->51 134 187.212.189.97, 49863, 49870, 49972 UninetSAdeCVMX Mexico 33->134 136 shsplatform.co.uk 80.66.203.53, 443, 49940 UKFASTGB United Kingdom 33->136 138 6 other IPs or domains 33->138 112 C:\Users\user\AppData\Roaming\jrsvedb, PE32 33->112 dropped 114 C:\Users\user\AppData\Local\Temp7F4.exe, PE32 33->114 dropped 116 C:\Users\user\AppData\Local\Temp\CDAD.exe, PE32 33->116 dropped 120 2 other malicious files 33->120 dropped 208 System process connects to network (likely due to code injection or exploit) 33->208 210 Benign windows process drops PE files 33->210 212 Suspicious powershell command line found 33->212 216 2 other signatures 33->216 43 cmd.exe 33->43         started        45 cmd.exe 33->45         started        47 powershell.exe 33->47         started        49 powershell.exe 33->49         started        file12 signatures13 process14 file15 148 Multi AV Scanner detection for dropped file 35->148 150 Detected unpacking (changes PE section rights) 35->150 152 Detected unpacking (overwrites its own PE header) 35->152 170 4 other signatures 35->170 53 datacas.exe 35->53         started        57 powershell.exe 35->57         started        98 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 38->98 dropped 100 C:\Windows\System32\drivers\etc\hosts, ASCII 38->100 dropped 154 Suspicious powershell command line found 38->154 156 Modifies the hosts file 38->156 158 Adds a directory exclusion to Windows Defender 38->158 160 Machine Learning detection for dropped file 41->160 162 Sample uses process hollowing technique 41->162 59 repairtool.exe 41->59         started        164 Uses powercfg.exe to modify the power settings 43->164 166 Uses netsh to modify the Windows network and firewall settings 43->166 168 Modifies power options to not sleep / hibernate 43->168 67 6 other processes 43->67 69 5 other processes 45->69 61 conhost.exe 47->61         started        63 conhost.exe 49->63         started        65 conhost.exe 51->65         started        71 7 other processes 51->71 signatures16 process17 file18 94 C:\Windows\rss\csrss.exe, PE32 53->94 dropped 174 Creates an autostart registry key pointing to binary in C:\Windows 53->174 73 cmd.exe 53->73         started        75 powershell.exe 53->75         started        77 powershell.exe 53->77         started        81 2 other processes 53->81 79 conhost.exe 57->79         started        signatures19 process20 process21 83 netsh.exe 73->83         started        86 conhost.exe 73->86         started        88 conhost.exe 75->88         started        90 conhost.exe 77->90         started        92 conhost.exe 81->92         started        signatures22 172 Creates files in the system32 config directory 83->172
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 21:30:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53zl4u2henrtd3gtmw67gpxync3fdc7lpluua5f6k34vluvjkhlq._file
Verdict:
malicious
Similar samples:
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
Amadey
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
Amadey
20b011e6cd045f3d056a9faff944746f90dfe511e7310aa045ab3cdffe680cc2
Amadey
60312f09f1b44e0668a6ce58ec3fb7638858f5c555d281f9402f5c1ce5b6704d
Amadey
7d07d17c2783ceeee097dc94082d7991a7e27755065dc5f73be10321803fe80f
Amadey
b2b28f2e4d64a4c7f769051c9bf921a32de817fd34a2ec494a0ad4539c1a79c0
Amadey
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
Amadey
f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
Amadey
fd1ec8d70bf1ce2071d44eed5e62a72f9f676a3ee488b82c37e9fdaba6bdcb42
Amadey
fec5e8cb13f8418df2d3c2188c40eb2844084b02bdd9f2a899690b3a7b25986c
Amadey
+ 34 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:smokeloader family:xmrig botnet:pub5 botnet:up3 backdoor dropper evasion loader miner persistence rootkit spyware stealer trojan
Link:
https://tria.ge/reports/230822-1cf4qafe38/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
45.9.74.80/0bjdn2Z/index.php
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
10404d8441ad542ad87e4c65273b85c363ff88eb1742a55761c266b03cba6239
MD5 hash:
093e62edc8ff597edff531323100aeee
SHA1 hash:
7248d21d5221aa613b5d4fb234fd794a6eb22e63
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ccd67a72-9460-4ad3-878e-8b96c4690f4e/
Parent samples :
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7
SH256 hash:
337a915cabb22c15287a38e2ee6caabaeb0eb17e972adeb745c1a301a6be0f34
MD5 hash:
94bb0f5735a2b8a7f4906e44b9df94a7
SHA1 hash:
88b97228d5612fe1c67f5ddaa9957be6f5d508ee
Link:
https://www.unpac.me/results/ccd67a72-9460-4ad3-878e-8b96c4690f4e/
SH256 hash:
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
MD5 hash:
f0033521f40c06dec473854c7d98fa8b
SHA1 hash:
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/ccd67a72-9460-4ad3-878e-8b96c4690f4e/
Parent samples :
6aa14b8612361f8cd34a86edcf341aaee819fb9a0cc18d51165e52afdcbe5e60
68af9af3506c7a35ef60026b6662cbc1fda0b36007a6eb48a974e4d7574db21f
81d2aa64b3f784fc0dab7694d106bedbd193786ab47dd064c0c5a8714d3fcaff
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
23d2138b76775d5169145dedfaff7db5bca58b481994ced84cade8490e720fc1
f991e808ed44c731fea1758fd6a275ec4e3ee66a5a691dbf1f9414a5faa144a1
10c5faf1316a4caf9edafd41c9c5a87a346c3cceb81de7ca106eee22be3069b8
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
SH256 hash:
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
MD5 hash:
5a54de0db43a7512621f0bf10f1c463a
SHA1 hash:
275e8cb6734e4cadafd6648188ef906e5a096940
Link:
https://www.unpac.me/results/ccd67a72-9460-4ad3-878e-8b96c4690f4e/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eef2be534723/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/444235/
  
URLhaus
https://urlhaus.abuse.ch/url/2706077/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2694492/

Comments