MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
SHA3-384 hash: 01dfe0a4d1f7a21a8922d51dc0bb8ad2c9e44940261940e5520465a80e31e1f540adba1faf36be56410c30f6988997a2
SHA1 hash: d21b5f7ac8206a43814e32b8702a3070ef22026b
MD5 hash: bd0a2011e6b11090989ca522ddd3d64a
humanhash: juliet-angel-salami-florida
File name:F1B2CC9A9FED9992129C1673D423647DD8307AADA8CCF.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:5'381'653 bytes
First seen:2021-11-14 07:16:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yriZ3iq1/oLFrHC9BdWmW6oxocR6XXMj03A9A+5rhExREF3nIekzmUEOQNYo0p69:yul1/osXfqxCzQ9A+7Ex0LPYo0UODzgf
TLSH T13B4633271770E26FEEF2CEB6363625F1D8B9B17940C0B7213700694E2418AD7AD1E799
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://185.163.47.175/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.175/ https://threatfox.abuse.ch/ioc/247972/
95.143.179.152:42556 https://threatfox.abuse.ch/ioc/248050/

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205613/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Jaik-9899450-0
Create hunting rule

Win.Packed.Socelars-9901378-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Connection attempt
Sending a custom TCP request
Running batch commands
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Searching for analyzing tools
DNS request
Moving a recently created file
Deleting a recently created file
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6190b7f0dec3347825a4293d/reports/62c68757-3b35-48b0-b2c1-252c515cd883/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c32703f-289d-4415-8602-7c9d24eba84b
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888799
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 521272 Sample: F1B2CC9A9FED9992129C1673D42... Startdate: 14/11/2021 Architecture: WINDOWS Score: 100 65 136.144.41.58 WORLDSTREAMNL Netherlands 2->65 67 37.0.10.244 WKD-ASIE Netherlands 2->67 69 8 other IPs or domains 2->69 73 Multi AV Scanner detection for domain / URL 2->73 75 Antivirus detection for URL or domain 2->75 77 Antivirus detection for dropped file 2->77 79 17 other signatures 2->79 10 F1B2CC9A9FED9992129C1673D423647DD8307AADA8CCF.exe 10 2->10         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->43 dropped 13 setup_installer.exe 22 10->13         started        process6 file7 45 C:\Users\user\AppData\...\setup_install.exe, PE32 13->45 dropped 47 C:\Users\user\...\Mon16f2ac40c59975b6.exe, PE32 13->47 dropped 49 C:\Users\user\AppData\...\Mon16bdd35287cb.exe, PE32 13->49 dropped 51 17 other files (12 malicious) 13->51 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 53 127.0.0.1 unknown unknown 16->53 71 Adds a directory exclusion to Windows Defender 16->71 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 5 other processes 16->26 signatures10 process11 signatures12 29 Mon169ee07134.exe 20->29         started        32 Mon16f2ac40c59975b6.exe 14 2 22->32         started        35 Mon1609f61b80de02a0.exe 24->35         started        81 Adds a directory exclusion to Windows Defender 26->81 37 Mon16633041d06.exe 6 26->37         started        39 Mon16bdd35287cb.exe 26->39         started        41 powershell.exe 25 26->41         started        process13 dnsIp14 83 Antivirus detection for dropped file 29->83 85 Machine Learning detection for dropped file 29->85 87 Sample uses process hollowing technique 29->87 89 Injects a PE file into a foreign processes 29->89 55 8.8.8.8 GOOGLEUS United States 32->55 57 162.159.130.233 CLOUDFLARENETUS United States 32->57 59 192.168.2.1 unknown unknown 35->59 91 Multi AV Scanner detection for dropped file 35->91 61 5.9.162.45 HETZNER-ASDE Germany 37->61 63 149.28.253.196 AS-CHOOPAUS United States 37->63 signatures15
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 23:46:48 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gzmzgu75wmzeeu4czz5ii3epxmda6vnvdgp6gz5b7vdlqwd45aq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam botnet:nanani aspackv2 backdoor evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211114-h4dhssdacp/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Arkei
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
https://petrenko96.tumblr.com/
45.142.215.47:27643
65.108.20.195:6774
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e5f826268a2cbf0270aa2ceb1245333043011572c74663d7e1e46bf7beb4ec27
MD5 hash:
30d1ddb315055019b09876ecb9d2f2d1
SHA1 hash:
eee7112c17fce665c3044117fd09c62de045421b
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
247d69da57e075f15e7fedc62ef99404f3e4e15988d35c598054f6771567b12a
MD5 hash:
0ef47ae88282ced5a011034e25a46e07
SHA1 hash:
4ee96fa7cf4c7c0d3d909a1726a48551a81aaf72
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
8f730b4e9531e026d02642e920847546a8e6304517c7a09b9d232ad80da6ece7
MD5 hash:
627f54faf6fc2b8b52f7019847f0cb67
SHA1 hash:
fea8972e303c622dc80e3429e1b826fe4b933552
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
d32c3d5c8d0f6273c49f39687648141b946f1c81aa2f81093fbf8b848754c261
MD5 hash:
e3c73b2332d626ff68567dbe5093f89b
SHA1 hash:
f460e8cce5dfabf2eb9d0de98623508bdb02aeac
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
ab753f314f8289fa879dc906a5b3e78be5352ef06d0cfd908c2eba70d18d1785
MD5 hash:
56f6840b2b7e680f8323dd66226ed8e0
SHA1 hash:
bf635846ff4e054c7683448cb0ff14224b8d3558
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
5c704bbe3aebff7d20b66583a9de14ef427b59023fcc89d923075107667beb0a
MD5 hash:
83917f92df2e0af3cc02b525d75273d1
SHA1 hash:
661c052f7783e015461d341447588676b6e008be
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
d51ad740818f7d6553e3d5aefdc232380d63ff2a54d0ee944616a1a91ea05ea1
MD5 hash:
fe8fc67abc15f9fd69e3f6f1ee8a7f55
SHA1 hash:
65c0679be4fbf7da6f8fd990ad968344cc81826f
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
aff9ab692225614831ee1630686474da45ab76c978f91345309f76dc8f85c039
MD5 hash:
3a07caaa60f3b83b0e230fbfa6b0b357
SHA1 hash:
57d995c58ad58865787f32d7a1a0eedab1cf8e0f
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
34d336071efce08793a039e08c35bdfb47a64bac76916c05e325c5fc36ec5d3e
MD5 hash:
1ca51c970daeb8cb3e1a494f9a9d276f
SHA1 hash:
51df5cbdabd297928b9b9897724bd82e284c1d60
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
a7098240c00359d4e7b3bb6ee13dc6799ee6a592af0a3d99f86909c703aa12c7
MD5 hash:
8c66db61b0efcafe4ec37046f5b45896
SHA1 hash:
3f83a2a414b1282743f67b8575647fd4296c2588
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
aa32b4b3bf2603493de785c49842ec49a768d72fe1014920a145fbd42bdd1a11
MD5 hash:
b7449ffed5cf5d7974415a1ed5c245e6
SHA1 hash:
2f53e5f533d00680da4ead0cb4d5902ca55a5658
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
e172e9ab673ba8a16005fe45356a3c035f28bb97df776f9f2c97f769fcb1b30a
MD5 hash:
27206a1e01ff1e892d94f96b8f00c39f
SHA1 hash:
1e25e960e709dff139e8603ccfc924fd4c36a2a8
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
53125ece14227901521a3a5b6201fa42544a21fac527396f71593c6d7900560b
MD5 hash:
ca4170793fd4155bc2a3d5e7e5ffe1b9
SHA1 hash:
b257f466d89e804bc8a547f3609636f5dba148d4
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
9525b3fb115058913b7879d2d58a5b82f8a015282db382a47ef6697316bb18b7
MD5 hash:
1598f8bb6ab9b665bddec86665afe271
SHA1 hash:
9d90ac55b46175ba335a9f5e10d3ba591067db6e
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
74429faf346a1abcd1dc324b1f8030024d0ef0509bee2e4f2c58327a5a4e7cda
MD5 hash:
775c8766fb41d8bc51a5e14b2f3e62db
SHA1 hash:
9216ded7e5d2188b3ac3afcc995759aba6044dca
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
d9f4b33a72cbc149cb6f00a6f248d6c0f740b01776e021099368afa896bccae7
MD5 hash:
b7e09eb3ebce96adc31c30cd5d3b667e
SHA1 hash:
cf5dbf2eef484be01a5d626dffe795b91df081b8
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
e19d3bab607a642e1612cc0241ad9e6cff759f721db3f532355fc7149ae7f71b
MD5 hash:
c0411ac375ead6fdea3a4448f447445e
SHA1 hash:
325bfb12dc9d40786a1a9afdddda7d870476b85f
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
SH256 hash:
f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
MD5 hash:
bd0a2011e6b11090989ca522ddd3d64a
SHA1 hash:
d21b5f7ac8206a43814e32b8702a3070ef22026b
Link:
https://www.unpac.me/results/f6c6da92-7dd6-41d6-8cea-548802fd4aa6/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f1b2cc9a9fed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205613/

Comments