MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f09de3a92e06df03fe93985a0814c125e8b337eb757e9ccd38ef7904c45f09d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f09de3a92e06df03fe93985a0814c125e8b337eb757e9ccd38ef7904c45f09d7
SHA3-384 hash: cb6ebd018a6b85325e816cd2f0955cb2019244e19fedca21491e47486962fb0f93ca4603206020e7909ee2ce909c92db
SHA1 hash: 907f8ba37bd9b90354ad6fa80026f1a8b8c5db0f
MD5 hash: 885cadcd9cc4a6068c0b7d8ca2c73ba6
humanhash: stairway-grey-texas-violet
File name:885cadcd9cc4a6068c0b7d8ca2c73ba6.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:253'304 bytes
First seen:2023-09-11 06:35:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep 6144:twbUIz6DCGbAR/VeDC1tAOIcCjBfzv+TurBiIg:tXIzaC+UjbwBrvSurBiIg
Threatray 91 similar samples on MalwareBazaar
TLSH T16E34AE1074D9C4F3D832153609F0EBB65A3DB9600B6199EFB7E40F7E4F202C1AA7566A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
162.33.179.91:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
885cadcd9cc4a6068c0b7d8ca2c73ba6.exe
Verdict:
No threats detected
Analysis date:
2023-09-11 06:37:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/034f55eb-f3c8-49b2-be19-9b9aeca695e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447830/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25116.19700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/64feb553b3be59ae4dd4d323/reports/1e1ebdee-3769-4cde-9ac8-f7e1ffc4f2b4/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/f09de3a92e06df03fe93985a0814c125e8b337eb757e9ccd38ef7904c45f09d7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/57ab8779-080e-4f04-b5ea-c7587c2ed0f9
Result
Threat name:
Amadey, Mystic Stealer, RedLine, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307061
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307061 Sample: OBcgXVrYB9.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 161 Snort IDS alert for network traffic 2->161 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 11 other signatures 2->167 12 OBcgXVrYB9.exe 1 2->12         started        15 vihwgjr 2->15         started        17 oneetx.exe 2->17         started        process3 signatures4 225 Contains functionality to inject code into remote processes 12->225 227 Writes to foreign memory regions 12->227 229 Allocates memory in foreign processes 12->229 231 Injects a PE file into a foreign processes 12->231 19 AppLaunch.exe 12->19         started        22 conhost.exe 12->22         started        24 WerFault.exe 21 9 12->24         started        process5 signatures6 169 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->169 171 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->171 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->173 175 4 other signatures 19->175 26 explorer.exe 4 12 19->26 injected process7 dnsIp8 143 79.137.192.18, 49715, 80 PSKSET-ASRU Russian Federation 26->143 145 77.91.68.29, 49705, 49707, 49710 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 26->145 147 2 other IPs or domains 26->147 115 C:\Users\user\AppData\Roaming\vihwgjr, PE32 26->115 dropped 117 C:\Users\user\AppData\Local\Temp546.exe, PE32 26->117 dropped 119 C:\Users\user\AppData\Local\Temp\A49E.exe, PE32 26->119 dropped 121 3 other malicious files 26->121 dropped 233 System process connects to network (likely due to code injection or exploit) 26->233 235 Benign windows process drops PE files 26->235 237 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->237 31 7BF1.exe 4 26->31         started        35 E546.exe 4 26->35         started        37 3E37.exe 26->37         started        39 2 other processes 26->39 file9 signatures10 process11 dnsIp12 123 C:\Users\user\AppData\Local\...\x0842372.exe, PE32 31->123 dropped 125 C:\Users\user\AppData\Local\...\k3423260.exe, PE32 31->125 dropped 149 Antivirus detection for dropped file 31->149 151 Machine Learning detection for dropped file 31->151 42 x0842372.exe 4 31->42         started        46 k3423260.exe 31->46         started        127 C:\Users\user\AppData\Local\...\y9032141.exe, PE32 35->127 dropped 129 C:\Users\user\AppData\Local\...\p2747149.exe, PE32 35->129 dropped 48 y9032141.exe 35->48         started        131 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 37->131 dropped 153 Multi AV Scanner detection for dropped file 37->153 50 oneetx.exe 37->50         started        137 162.33.179.91, 80 CORENETUS United States 39->137 155 Writes to foreign memory regions 39->155 157 Allocates memory in foreign processes 39->157 159 Injects a PE file into a foreign processes 39->159 53 vbc.exe 39->53         started        file13 signatures14 process15 dnsIp16 107 C:\Users\user\AppData\Local\...\x2849377.exe, PE32 42->107 dropped 109 C:\Users\user\AppData\Local\...\j2618771.exe, PE32 42->109 dropped 203 Antivirus detection for dropped file 42->203 205 Machine Learning detection for dropped file 42->205 55 x2849377.exe 4 42->55         started        59 j2618771.exe 42->59         started        207 Writes to foreign memory regions 46->207 209 Allocates memory in foreign processes 46->209 211 Injects a PE file into a foreign processes 46->211 61 AppLaunch.exe 46->61         started        63 conhost.exe 46->63         started        111 C:\Users\user\AppData\Local\...\y0266865.exe, PE32 48->111 dropped 113 C:\Users\user\AppData\Local\...\o6528606.exe, PE32 48->113 dropped 65 y0266865.exe 48->65         started        67 o6528606.exe 48->67         started        133 5.42.65.80, 49720, 49721, 49723 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 50->133 213 Multi AV Scanner detection for dropped file 50->213 215 Creates an undocumented autostart registry key 50->215 217 Uses schtasks.exe or at.exe to add and modify task schedules 50->217 69 cmd.exe 50->69         started        71 schtasks.exe 50->71         started        135 176.123.9.85, 16482, 49717 ALEXHOSTMD Moldova Republic of 53->135 219 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->219 221 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->221 223 Tries to steal Crypto Currency Wallets 53->223 file17 signatures18 process19 file20 99 C:\Users\user\AppData\Local\...\i0296762.exe, PE32 55->99 dropped 101 C:\Users\user\AppData\Local\...\g0090300.exe, PE32 55->101 dropped 177 Antivirus detection for dropped file 55->177 179 Machine Learning detection for dropped file 55->179 73 i0296762.exe 55->73         started        77 g0090300.exe 1 55->77         started        181 Tries to harvest and steal browser information (history, passwords, etc) 61->181 103 C:\Users\user\AppData\Local\...\n9210921.exe, PE32 65->103 dropped 105 C:\Users\user\AppData\Local\...\m0700157.exe, PE32 65->105 dropped 79 n9210921.exe 65->79         started        81 m0700157.exe 65->81         started        183 Writes to foreign memory regions 67->183 185 Allocates memory in foreign processes 67->185 187 Injects a PE file into a foreign processes 67->187 83 conhost.exe 67->83         started        85 conhost.exe 69->85         started        87 cmd.exe 69->87         started        91 5 other processes 69->91 89 conhost.exe 71->89         started        signatures21 process22 dnsIp23 139 77.91.124.82, 19071, 49713, 49716 ECOTEL-ASRU Russian Federation 73->139 189 Antivirus detection for dropped file 73->189 191 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->191 193 Machine Learning detection for dropped file 73->193 195 Writes to foreign memory regions 77->195 197 Allocates memory in foreign processes 77->197 199 Injects a PE file into a foreign processes 77->199 93 WerFault.exe 10 77->93         started        95 AppLaunch.exe 1 77->95         started        97 conhost.exe 77->97         started        201 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 79->201 141 5.42.92.211, 49712, 49734, 49743 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 81->141 signatures24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f09de3a92e06df03fe93985a0814c125e8b337eb757e9ccd38ef7904c45f09d7/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 06:36:06 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6co6hkjoa3pqh7uttbnaqfgbexulgn7lov7jztjy554qjrc7bhlq._file
Verdict:
unknown
Similar samples:
20b7a8940c1f7bbde1b495a888df9c30ed088a11ec3b4ebcca6754d20fd3dd74
Amadey
40b5bf06cc102c64baa6e227edf70a638d1f2c03035a3f0fafac5f448496a6d5
Amadey
4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
Amadey
6f9de685cc3db3689fda7269ffbbdd5a84cf0697a71150f7cdefa93de4b219a1
Amadey
7e0094b1a8d01513026e884153221c5783e29a1db82101e0439333f2ac91544f
Amadey
7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178
Amadey
8e359dde4bb5bbef88e7c785804ed1544ce37b2cdeb8f50ff5eb0b9e8ad0f0bb
Amadey
9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64
Amadey
adae27992594d21e3d9b08969d6159068b82c8c1cda9c9cc9a2390dbec26a9da
Amadey
e28de02461c37e831d3dd3c47f1e53eaa892d46723fee43a53abafd615072a35
Amadey
+ 81 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader backdoor infostealer spyware trojan
Link:
https://tria.ge/reports/230911-hcxglaec47/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Downloads MZ/PE file
Amadey
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
f09de3a92e06df03fe93985a0814c125e8b337eb757e9ccd38ef7904c45f09d7
MD5 hash:
885cadcd9cc4a6068c0b7d8ca2c73ba6
SHA1 hash:
907f8ba37bd9b90354ad6fa80026f1a8b8c5db0f
Link:
https://www.unpac.me/results/863b0a3d-c09f-480b-93c1-3d50c0c024ac/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f09de3a92e06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Amadey
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f09de3a92e06df03fe93985a0814c125e8b337eb757e9ccd38ef7904c45f09d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe f09de3a92e06df03fe93985a0814c125e8b337eb757e9ccd38ef7904c45f09d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710381/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447830/

Comments