MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1
SHA3-384 hash: 0e05cf8225887a0783018f177fc977d0fe8a29ac1f29a06b512d3549e4d63ca5d0eee4091fee3de99ef9865dffeabf49
SHA1 hash: 48d7c5d993b5275252963991605b0ca97f7510a8
MD5 hash: 3552f8d14cec9745f4771211e31fd7d0
humanhash: potato-autumn-lactose-kansas
File name:SecuriteInfo.com.Win32.DropperX-gen.15123.20851
Download: download sample
Signature Amadey
Create hunting rule
File size:7'285'248 bytes
First seen:2023-11-22 12:38:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6c7ba36379ab21341ae85bc719b32f (1 x Amadey)
ssdeep 196608:35++jbTSvuJ+MrT0rpPYOpN/Jyc7liXqoRzzvo:J++jbTrJ+M/wpNpNv74lzvo
TLSH T1587633099CC258A9D1C5B17D4ABA3EDD76BC1F15AD204ECEA824E7EBECB24FC0531911
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.15123.20851
Verdict:
Malicious activity
Analysis date:
2023-11-22 12:40:53 UTC
Tags:
amadey botnet stealer
Link:
https://app.any.run/tasks/afcef926-98f4-4c6b-a651-15cbea2d18a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459706/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.15123.20851.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Searching for the window
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bfba098f-8aff-4929-80a3-2f1c80ea28f4
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1346394
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 12:31:22 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sguouob2scu2qjyknbt53t7zdxodoj3eykc5znrawfw7hpdqdaq._file
Verdict:
unknown
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat persistence rat trojan
Link:
https://tria.ge/reports/231122-pt4essda7s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
SectopRAT
SectopRAT payload
Unpacked files
SH256 hash:
209701a2b04aa53ac57d0de9d1d0c59cefdc66e406770ebaaaeb4e8d744da878
MD5 hash:
134d5aa78fe8eabff439afdfb3e5f184
SHA1 hash:
f7cf7ef8ca92a11709427d271ebae0bb302b6be3
Detections:
win_amadey_bytecodes_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/4276ecca-4706-44d1-89b9-9de2e89ee7ae/
SH256 hash:
f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1
MD5 hash:
3552f8d14cec9745f4771211e31fd7d0
SHA1 hash:
48d7c5d993b5275252963991605b0ca97f7510a8
Link:
https://www.unpac.me/results/4276ecca-4706-44d1-89b9-9de2e89ee7ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe f48d4751c1d4854d413853433eee7fc8eee1b93b26142ee5b1058b6f9de380c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2733669/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/459706/

Comments