MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 19


Intelligence 19 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d
SHA3-384 hash: 7c365fe16718c18c1ec6e7a78e50b5eb53b7c25b2170347eb05191d5ff4e454abf1bd33c91795dc2721d1e79860d2270
SHA1 hash: 4a85bcce9da53127e861c53445c88f0c4b772ccd
MD5 hash: 3553ec492baf74513560f2bcfcc8be4b
humanhash: twenty-twenty-timing-timing
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:1'920'000 bytes
First seen:2024-11-01 21:11:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:he4oKO3eOKdCzYTtYiO7SO6lWLALX/0ZPcYMK8PHbAtMAzZmQdRcNHOKtxSps0cc:MKQxpz6tYUL/0ZURHbG9N0NHOAwBga
Threatray 4'937 similar samples on MalwareBazaar
TLSH T11895335C1CD4AF3BF642D83F8B21CB67B1C69C990DFA7B867A811E39401D6D678044EA
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:Amadey exe


Avatar
Bitsight
url: http://185.215.113.16/mine/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-01 21:18:33 UTC
Tags:
amadey botnet stealer themida
Link:
https://app.any.run/tasks/76f861a3-c845-445e-b498-7054444b598a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6725442849e92a05dde24fe5
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67254428d71e009bb1f88ca7/reports/14c1c596-a332-451f-8743-fd8330ca154b/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/705a70c7-6772-4851-9702-560a62bd3f79
Result
Threat name:
LummaC, Amadey, Credential Flusher, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1547145
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1547145 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 98 thumbystriw.store 2->98 100 presticitpo.store 2->100 102 20 other IPs or domains 2->102 130 Suricata IDS alerts for network traffic 2->130 132 Found malware configuration 2->132 134 Antivirus / Scanner detection for submitted sample 2->134 136 16 other signatures 2->136 9 skotes.exe 4 25 2->9         started        14 file.exe 5 2->14         started        16 5a1bf9dc1f.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 118 185.215.113.43, 49707, 49708, 49712 WHOLESALECONNECTIONSNL Portugal 9->118 120 185.215.113.16, 49709, 49713, 49722 WHOLESALECONNECTIONSNL Portugal 9->120 86 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->86 dropped 88 C:\Users\user\AppData\...\0fc326aa23.exe, PE32 9->88 dropped 90 C:\Users\user\AppData\...\f13a702b9c.exe, PE32 9->90 dropped 96 5 other malicious files 9->96 dropped 162 Creates multiple autostart registry keys 9->162 164 Hides threads from debuggers 9->164 166 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->166 20 f13a702b9c.exe 38 9->20         started        25 5a1bf9dc1f.exe 1 9->25         started        27 0fc326aa23.exe 9->27         started        29 num.exe 9->29         started        92 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->92 dropped 94 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->94 dropped 168 Detected unpacking (changes PE section rights) 14->168 170 Tries to evade debugger and weak emulator (self modifying code) 14->170 172 Tries to detect virtualization through RDTSC time measurements 14->172 174 Potentially malicious time measurement code found 14->174 31 skotes.exe 14->31         started        176 Query firmware table information (likely to detect VMs) 16->176 178 Tries to harvest and steal ftp login credentials 16->178 180 Tries to harvest and steal browser information (history, passwords, etc) 16->180 182 Tries to steal Crypto Currency Wallets 16->182 184 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->184 33 firefox.exe 18->33         started        35 msedge.exe 18->35         started        37 taskkill.exe 18->37         started        39 2 other processes 18->39 file6 signatures7 process8 dnsIp9 104 185.215.113.206, 49720, 80 WHOLESALECONNECTIONSNL Portugal 20->104 78 C:\Users\user\AppData\...\freebl3[1].dll, PE32 20->78 dropped 80 C:\ProgramData\freebl3.dll, PE32 20->80 dropped 82 C:\ProgramData\chrome.dll, PE32 20->82 dropped 138 Multi AV Scanner detection for dropped file 20->138 140 Detected unpacking (changes PE section rights) 20->140 142 Attempt to bypass Chrome Application-Bound Encryption 20->142 160 7 other signatures 20->160 41 chrome.exe 20->41         started        44 msedge.exe 20->44         started        106 necklacedmny.store 188.114.96.3, 443, 49711, 49714 CLOUDFLARENETUS European Union 25->106 84 C:\Users\...\2QNU7W41MH8AV1LOK1E42CHO7.exe, PE32 25->84 dropped 144 Query firmware table information (likely to detect VMs) 25->144 146 Found many strings related to Crypto-Wallets (likely being stolen) 25->146 148 Tries to evade debugger and weak emulator (self modifying code) 25->148 150 LummaC encrypted strings found 25->150 152 Binary is likely a compiled AutoIt script file 27->152 47 taskkill.exe 27->47         started        49 taskkill.exe 27->49         started        51 taskkill.exe 27->51         started        59 3 other processes 27->59 154 Tries to detect virtualization through RDTSC time measurements 31->154 156 Hides threads from debuggers 31->156 158 Tries to detect sandboxes / dynamic malware analysis system (registry check) 31->158 108 youtube.com 172.217.18.14 GOOGLEUS United States 33->108 114 6 other IPs or domains 33->114 53 firefox.exe 33->53         started        55 firefox.exe 33->55         started        110 104.208.16.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->110 112 s-part-0017.t-0009.t-msedge.net 13.107.246.45, 443, 49719, 49723 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->112 116 26 other IPs or domains 35->116 57 conhost.exe 37->57         started        file10 signatures11 process12 dnsIp13 122 192.168.2.8, 443, 49703, 49704 unknown unknown 41->122 124 239.255.255.250 unknown Reserved 41->124 61 chrome.exe 41->61         started        64 chrome.exe 41->64         started        186 Monitors registry run keys for changes 44->186 66 msedge.exe 44->66         started        68 conhost.exe 47->68         started        70 conhost.exe 49->70         started        72 conhost.exe 51->72         started        74 conhost.exe 59->74         started        76 conhost.exe 59->76         started        signatures14 process15 dnsIp16 126 www.google.com 142.250.181.228 GOOGLEUS United States 61->126 128 142.250.184.228 GOOGLEUS United States 64->128
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-01 21:12:13 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 38 (55.26%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6evydtbeloaixv5ptfotbmra7xi24pwwkvblnvte5paqpppmsvwq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
stealc
Create hunting rule
Similar samples:
15952521ff76d233a2a4ab1700dc4a27933d34bcd59a3f9525497a6acd768d1d
Amadey
2a489ce667dbde254a0255a749a55224070f146355a571a228bad5cd8327c8d5
Amadey
32719efc4d0a346687fc42db9d6c9c1e9aa38921d43e064e6b8b17cb6e4e5b37
Amadey
51c35cc8bfc37189048a0454992f30143289dcace11c5fc108db47e91f467bd0
Amadey
6e2b1ee5f03b5cc5117b10f8436ae0b716c0e2c7f3accf3d97928a322bf71e9e
Amadey
9e13c0c0d9dc49f26224c47d12c12482ce0a1ad9a150bd73f7623ff542840851
Amadey
b599415ee3535fa2b984b7960113d70825900a3aefa3636fa6079419f71c4186
Amadey
error
Amadey
f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d
Amadey
f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832
Amadey
fbc8c32bf799a005c57540a2e85dd3662ed5795a55f11495f0ba569bbb09df59
Amadey
+ 4'927 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealc botnet:9c9aa5 botnet:tale credential_access discovery evasion stealer trojan
Link:
https://tria.ge/reports/241101-z2dt8avhkf/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.43
http://185.215.113.206
Verdict:
Malicious
Tags:
amadey
YARA:
n/a
Link:
https://app.threat.zone/submission/af922b2d-4dfb-4ae8-beca-2e70f9b55585
Unpacked files
SH256 hash:
6876ef018384ff23a193a69ee8611773f84a49927fcdafebff87b165e9f47e03
MD5 hash:
38559b53853fb2dd66bcd0ae7da8677e
SHA1 hash:
493c09965c2780dd94a667af38822b80ba8e0a3a
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/07846ed0-95c0-4c35-9428-b42fe0bfb6ef/
SH256 hash:
f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d
MD5 hash:
3553ec492baf74513560f2bcfcc8be4b
SHA1 hash:
4a85bcce9da53127e861c53445c88f0c4b772ccd
Link:
https://www.unpac.me/results/07846ed0-95c0-4c35-9428-b42fe0bfb6ef/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f12b81cc245b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe f12b81cc245b808bd7af995d30b220fdd1ae3ed65542b6d664ebc107bdec956d

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3072521/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments