MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f500c5f2ef41c296869cef7d33ddb90449f8ebe703e7da2fc47726c7232ad10f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f500c5f2ef41c296869cef7d33ddb90449f8ebe703e7da2fc47726c7232ad10f
SHA3-384 hash: e1ef1c39e0811a9d04f4160b2feea824cdb7c36113eaafd89f9faf3cedc930ca742401adb665b32cfecf6d39723e8273
SHA1 hash: 414468a3216442f186955693ce8c3aea984054bb
MD5 hash: 1d20e7282d674a8d160ac5096798ba9a
humanhash: east-tennessee-paris-maryland
File name:1D20E7282D674A8D160AC5096798BA9A.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'263'312 bytes
First seen:2021-08-28 22:21:01 UTC
Last seen:2021-08-28 23:03:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 34b35df7c6acd4636c28f27c1695ce68 (1 x Amadey)
ssdeep 24576:BjE1kzjE9h8pobNlRMW+xcGSapgRkQuB9yzA/FoB2v3yiIkEc7WQaWFWzSZS:povhlWt7SwfdoBmyiI9uzZS
Threatray 5 similar samples on MalwareBazaar
TLSH T1D745333EDE4A4C5AF30216F61E72EE51DBE02BBB815591F0B54503069CC95B23AF3B29
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://depressionk1d.ug/k8FppT/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://depressionk1d.ug/k8FppT/index.php https://threatfox.abuse.ch/ioc/201784/

Intelligence

File Origin
# of uploads :
2
# of downloads :
430
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1D20E7282D674A8D160AC5096798BA9A.exe
Verdict:
Malicious activity
Analysis date:
2021-08-28 22:23:02 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/1b0b851b-4bb6-4059-963e-29dd654f420c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183167/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Running batch commands
Launching a process
Creating a window
DNS request
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Sending a UDP request
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d9f850e-42f7-4f8b-891b-4ea45f187e31
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840894
Signature
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473321 Sample: X2PrdXhH1y.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Amadey bot 2->37 39 2 other signatures 2->39 8 X2PrdXhH1y.exe 4 2->8         started        12 rnyuf.exe 2->12         started        process3 file4 29 C:\Users\user\AppData\Local\...\rnyuf.exe, PE32 8->29 dropped 43 Detected unpacking (changes PE section rights) 8->43 45 Contains functionality to inject code into remote processes 8->45 47 Tries to evade analysis by execution special instruction which cause usermode exception 8->47 14 rnyuf.exe 14 8->14         started        49 Hides threads from debuggers 12->49 signatures5 process6 dnsIp7 31 depressionk1d.ug 193.164.17.17, 49703, 49704, 49705 AT-ASRU Russian Federation 14->31 51 Multi AV Scanner detection for dropped file 14->51 53 Detected unpacking (changes PE section rights) 14->53 55 Machine Learning detection for dropped file 14->55 57 3 other signatures 14->57 18 cmd.exe 1 14->18         started        20 schtasks.exe 1 14->20         started        signatures8 process9 process10 22 reg.exe 1 18->22         started        25 conhost.exe 18->25         started        27 conhost.exe 20->27         started        signatures11 41 Creates an undocumented autostart registry key 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f500c5f2ef41c296869cef7d33ddb90449f8ebe703e7da2fc47726c7232ad10f/
Threat name:
Win32.Downloader.Deyma
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 22:54:38 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6uaml4xpihbjnbu4556thxnzare7r27hapt5ul6eo4tmoizk2ehq._file
Verdict:
suspicious
Similar samples:
33e1b67ad4d3fa79b5962739474792e251306c7474e9a9e3afa0fc6d5e93b4b4
Amadey
955f8374fb9b6f509dead8f29f3990ab02dc762345fcd3248886da10659c99e0
Amadey
c9d35ffb9b20a4bd48eb6992ba4c10f12f7d0577b218faa7368dc251b45af6bb
Amadey
dc3014452f4f99828129950d9507ab71df2c80daf40250125d8e21961baa079a
Amadey
dc8ddcd4db035fa647001a01cab6a2866d092fcaad18279835751ee0396da041
Amadey
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210828-hphgg5k2kx/
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Executes dropped EXE
suricata: ET MALWARE Amadey CnC Check-In
Unpacked files
SH256 hash:
f500c5f2ef41c296869cef7d33ddb90449f8ebe703e7da2fc47726c7232ad10f
MD5 hash:
1d20e7282d674a8d160ac5096798ba9a
SHA1 hash:
414468a3216442f186955693ce8c3aea984054bb
Link:
https://www.unpac.me/results/6ca2cd28-c0f3-41bf-acac-5d2a6bcc75e4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f500c5f2ef41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Amadey
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f500c5f2ef41c296869cef7d33ddb90449f8ebe703e7da2fc47726c7232ad10f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183167/

Comments