MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1dc32d9d1065e929bea07b26b09210056271a74dcf0e6b4e2d9705590b3753e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1dc32d9d1065e929bea07b26b09210056271a74dcf0e6b4e2d9705590b3753e
SHA3-384 hash: e1f60474de930eed26acb326a6c3a44addea2d3aec26de3845ae378844ef43bfca5d9b9fb24ac144c12e08d6738be3d1
SHA1 hash: 02daf20b5f81f875494b1a79391becd09ddf1e6c
MD5 hash: efd7aaf116a402162f527d2dbb59ab16
humanhash: texas-may-idaho-lamp
File name:manage_address-09058355.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:189'952 bytes
First seen:2020-10-05 02:58:22 UTC
Last seen:2020-10-05 03:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 32477f6fe8db1de6b5bc525bb018c3c6 (3 x Tofsee, 1 x Amadey, 1 x CoinMiner)
ssdeep 3072:vINXFQ39MOLZsvDRM5QdCSno1BUVsPHkQ:WZOLZsEQdCko1HfL
Threatray 93 similar samples on MalwareBazaar
TLSH A6048D11BFF1C072D16748348C31A2B06A3BBD21E578CA473BE12B6A6E352C15BAB755
Reporter vm001cn
Tags:Amadey Loader Predator taurus

Intelligence

File Origin
# of uploads :
2
# of downloads :
922
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68030/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Changing the Zone.Identifier stream
Launching a process
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480966
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292923 Sample: manage_address-09058355.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Found malware configuration 2->81 83 Antivirus detection for dropped file 2->83 85 8 other signatures 2->85 8 bdif.exe 18 2->8         started        13 manage_address-09058355.exe 4 2->13         started        process3 dnsIp4 51 217.8.117.98, 49732, 49733, 49734 CREXFEXPEX-RUSSIARU Russian Federation 8->51 53 downloadcenter.xyz 45.77.125.110, 443, 49743 AS-CHOOPAUS United States 8->53 41 C:\Users\user\AppData\Local\Temp\scr.dll, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\Temp\cred.dll, PE32 8->43 dropped 45 C:\Users\user\AppData\Local\Temp\1.exe, PE32 8->45 dropped 49 3 other malicious files 8->49 dropped 87 Antivirus detection for dropped file 8->87 89 Multi AV Scanner detection for dropped file 8->89 91 Detected unpacking (changes PE section rights) 8->91 97 2 other signatures 8->97 15 1.exe 13 8->15         started        19 rundll32.exe 8->19         started        21 reg.exe 1 8->21         started        25 3 other processes 8->25 47 C:\ProgramData\32b1a07b8f\bdif.exe, PE32 13->47 dropped 93 Detected unpacking (overwrites its own PE header) 13->93 95 Creates files in alternative data streams (ADS) 13->95 23 schtasks.exe 1 13->23         started        file5 signatures6 process7 dnsIp8 55 louchmong.top 8.208.90.102, 49770, 49785, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 15->55 59 Antivirus detection for dropped file 15->59 61 Multi AV Scanner detection for dropped file 15->61 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->63 65 Tries to harvest and steal browser information (history, passwords, etc) 15->65 27 cmd.exe 1 15->27         started        57 192.168.2.3, 443, 49563, 49679 unknown unknown 19->57 67 Tries to steal Instant Messenger accounts or passwords 19->67 69 Tries to steal Mail credentials (via file access) 19->69 71 Tries to harvest and steal ftp login credentials 19->71 73 Creates an undocumented autostart registry key 21->73 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        75 System process connects to network (likely due to code injection or exploit) 25->75 77 Creates multiple autostart registry keys 25->77 33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        signatures9 process10 process11 37 conhost.exe 27->37         started        39 timeout.exe 1 27->39         started       
Detection:
amadey
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1dc32d9d1065e929bea07b26b09210056271a74dcf0e6b4e2d9705590b3753e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 23:33:28 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hodfworazpjfg7ka6zgwcjbablcogtu3tyonnhc3fyfleftou7a._file
Verdict:
malicious
Similar samples:
0d8a2a7eda083b02daf9ee062fbb5c1c57d689916992e4343f69103069a81fd9
Amadey
0fc5adafd96fb918ffa0e93b274acede778eab5c614ba796a0879aababcecb0b
Amadey
2701e092e550bb607c9305ba4478e2b115664a1c985b14c99fb745ce56f53e51
Amadey
4628e3a640d67d1cf95faa83c2c018ade658bba77aa88aaf04ac1397875bf693
Amadey
565dd05e9af2bc368094e8b0f533e54b4f9e677b03805bd48054d78cc2e0df46
Amadey
6579c42ec01f199d0b139ab0976d6c251217020105ed83f35cd83db968b28ad9
Amadey
80f19d58d6c1cf1f362bbef6ceec409de0efb225dbf78b729e773f63b08255e2
Amadey
b0492ee53bdfcde8453259a3f9e63ae29a11ef277afa0cd4ad1339e873f61af0
Amadey
bd05c3d9547104bd7bb5ef82fad00cf1d990fc31e07580314c9def2eaec2b16b
Amadey
e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe
Amadey
+ 83 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
spyware discovery trojan family:amadey persistence
Link:
https://tria.ge/reports/201005-xzze74msl6/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
Amadey
Unpacked files
SH256 hash:
f1dc32d9d1065e929bea07b26b09210056271a74dcf0e6b4e2d9705590b3753e
MD5 hash:
efd7aaf116a402162f527d2dbb59ab16
SHA1 hash:
02daf20b5f81f875494b1a79391becd09ddf1e6c
Link:
https://www.unpac.me/results/eec851cf-596c-4adb-adf4-75a1fa4e5bd4/
SH256 hash:
ca0eab9e29adb1347cbd321f58e2fd6006329d45469956aa3ec05d2999483d12
MD5 hash:
c160863ac3a2fad4376fbdc166a0b116
SHA1 hash:
f18c74168e583e110554a0aaebf02c798bc8636d
Detections:
win_amadey_g0
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/eec851cf-596c-4adb-adf4-75a1fa4e5bd4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1dc32d9d1065e929bea07b26b09210056271a74dcf0e6b4e2d9705590b3753e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68030/

Comments