MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 8


Intelligence 8 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2
SHA3-384 hash: 2f1c5969f91f31313a48bf8e6c9888754c5cf767f59c230d06590d023e4249f07471ea5097a93a105c4dafd8b8c17104
SHA1 hash: 5abbb99c25720aaaa253d27ca6d71769b1fd1469
MD5 hash: 0d90e4f66414c1bc9779dbd3f776becd
humanhash: mexico-island-fourteen-hotel
File name:0d90e4f66414c1bc9779dbd3f776becd.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:285'184 bytes
First seen:2021-08-19 10:40:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f4452ee838d99d134cdfb5637fb01d7 (4 x Smoke Loader, 2 x RaccoonStealer, 2 x Amadey)
ssdeep 6144:/CEzJ7gktAu6Vk6XZUtUMaxehpXmUhXNplj0cI3sOfM3c6:L5gk6u6VkiUtURWXmQXrljnk6
Threatray 66 similar samples on MalwareBazaar
TLSH T166548D10B690C035E5F613F558B983A8AB2DBDB05B2050DF62D63BEE67382D49D3076B
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://185.215.113.206/k8FppT/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.206/k8FppT/index.php https://threatfox.abuse.ch/ioc/192171/
65.21.206.125:13957 https://threatfox.abuse.ch/ioc/192172/

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d90e4f66414c1bc9779dbd3f776becd.exe
Verdict:
No threats detected
Analysis date:
2021-08-19 10:45:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7bb18ab3-163a-4293-97b8-c04c6881fae6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180656/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.16114.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a process from a recently created file
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f23f71d0-b432-4d62-b7c7-8e67764b0a3f
Result
Threat name:
Amadey RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835725
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468156 Sample: D6SC0XwBgv.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 7 other signatures 2->80 10 D6SC0XwBgv.exe 2->10         started        13 ugitaau 2->13         started        15 hnbux.exe 2->15         started        17 hnbux.exe 2->17         started        process3 signatures4 116 Detected unpacking (changes PE section rights) 10->116 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->118 120 Maps a DLL or memory area into another process 10->120 19 explorer.exe 5 10->19 injected 122 Machine Learning detection for dropped file 13->122 124 Checks if the current machine is a virtual machine (disk enumeration) 13->124 126 Creates a thread in another existing process (thread injection) 13->126 process5 dnsIp6 62 atvcampingtrips.com 106.241.4.103, 49718, 49721, 49727 LGDACOMLGDACOMCorporationKR Korea Republic of 19->62 64 193.142.59.134, 49733, 49754, 49767 HOSTSLICK-GERMANYNL Netherlands 19->64 66 4 other IPs or domains 19->66 52 C:\Users\user\AppData\Roaming\ugitaau, PE32 19->52 dropped 54 C:\Users\user\AppData\Local\Temp\8C10.exe, PE32 19->54 dropped 56 C:\Users\user\...\ugitaau:Zone.Identifier, ASCII 19->56 dropped 90 System process connects to network (likely due to code injection or exploit) 19->90 92 Benign windows process drops PE files 19->92 94 Deletes itself after installation 19->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->96 24 7BE8.exe 4 19->24         started        28 3C0F.exe 14 3 19->28         started        31 8C10.exe 15 26 19->31         started        file7 signatures8 process9 dnsIp10 58 C:\Users\user\AppData\Local\...\hnbux.exe, PE32 24->58 dropped 98 Detected unpacking (changes PE section rights) 24->98 33 hnbux.exe 14 24->33         started        68 188.124.36.242, 25802, 49781 SELECTELRU Russian Federation 28->68 100 Query firmware table information (likely to detect VMs) 28->100 102 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->102 104 Hides threads from debuggers 28->104 106 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->106 37 conhost.exe 28->37         started        70 185.215.113.29, 49751, 49763, 8889 WHOLESALECONNECTIONSNL Portugal 31->70 72 api.ip.sb 31->72 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->108 110 Machine Learning detection for dropped file 31->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->112 114 Tries to harvest and steal browser information (history, passwords, etc) 31->114 39 conhost.exe 31->39         started        file11 signatures12 process13 dnsIp14 60 185.215.113.206, 49775, 49776, 49784 WHOLESALECONNECTIONSNL Portugal 33->60 82 Detected unpacking (changes PE section rights) 33->82 84 Machine Learning detection for dropped file 33->84 86 Contains functionality to inject code into remote processes 33->86 88 Uses schtasks.exe or at.exe to add and modify task schedules 33->88 41 cmd.exe 1 33->41         started        43 schtasks.exe 33->43         started        signatures15 process16 process17 45 reg.exe 41->45         started        48 conhost.exe 41->48         started        50 conhost.exe 43->50         started        signatures18 128 Creates an undocumented autostart registry key 45->128
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 10:41:05 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=63upcow45kvmdnxdlza3b4sefo6z4ejirck3j7u3icyps64d27ra._file
Verdict:
unknown
Similar samples:
4001ef3d5abca387a707411e1b11c07ed5b0bab60d5409831f55dcbdeb86a60f
Amadey
48f94784e42a2ccd19847f18aa9ea4dca34a7a484630b6fa2c4f9eae9d79d41c
Amadey
5345e44552a14502cc5f4d6e7bca0ebf222cda847905ae1d29effa24750c0250
Amadey
5cd93cc3436fb881cf2c5b633aea135ad6a1ccbd9dd6ec404874d42a4b94afec
Amadey
79f1ba97a20bfba399809b1af714574feba04b72dfc88aea23051b462f75455c
Amadey
9d1574036b8d1853c6355e6212c29ffe57e1e0653b65605b0f9664e5d194b2f9
Amadey
a9cdb3bb7a1d3c261d945bba0cdb00afe3216bf96a9f78c7ce669c9fcf0c89c7
Amadey
b87200fd33230fb9a0c284b030ca1c07f5b63c379531de918c7da6288281c5e3
Amadey
ce13ed533f6d3f7d8568876a1738c41ceb4d93f2e95c55ac70372a4b396f7692
Amadey
ed76472a36f6d2b36c13b4ae7735c0ac51c20ca5e3f91220eb7e996b5279f038
Amadey
+ 56 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210819-fgr1531yks/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.29:8889
185.215.113.206/k8FppT/index.php
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/8d018071-39a4-4b6e-8c10-eec6030999ca/
SH256 hash:
f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2
MD5 hash:
0d90e4f66414c1bc9779dbd3f776becd
SHA1 hash:
5abbb99c25720aaaa253d27ca6d71769b1fd1469
Link:
https://www.unpac.me/results/8d018071-39a4-4b6e-8c10-eec6030999ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe f6e8f13adceaaac1b6e35e41b0f2442bbd9e11288895b4fe9b40b0f97b83d7e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1533747/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1545011/
Cape
Cape
https://www.capesandbox.com/analysis/180656/

Comments