MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7b3caf96d26314be264310c3440d238a22205e841c3991b508a920ac430d4b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7b3caf96d26314be264310c3440d238a22205e841c3991b508a920ac430d4b3
SHA3-384 hash: eab89375734a65f13b94da112b77f83f5e958653ea35043c64a5525fc5902113b78a49a028cbdc92eb6315c48d7ed54b
SHA1 hash: 7e4759a3f10adbea349df5be94c96cbf327e4ce7
MD5 hash: df3795e6842e839cf45e694b7164ee17
humanhash: fish-charlie-july-speaker
File name:df3795e6842e839cf45e694b7164ee17
Download: download sample
Signature Amadey
Create hunting rule
File size:375'224 bytes
First seen:2023-06-09 00:14:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 86d018b5958d6ee3306f74df5ad0b6fb (10 x RedLineStealer, 1 x Amadey)
ssdeep 6144:i1gh1VbPonZFGyykMuMn3ui8JLy74qbSIpHCbeIEnrTNx:i18OAyyk/23+JG74qbZikFx
Threatray 1 similar samples on MalwareBazaar
TLSH T1FA84BF12E978449AD6EC20FA6D46E36C50D41DF4B77FCC53E3964A5A9F872C342E0A0E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df3795e6842e839cf45e694b7164ee17
Verdict:
Malicious activity
Analysis date:
2023-06-09 00:17:33 UTC
Tags:
loader
Link:
https://app.any.run/tasks/cdd505e6-0cfb-4bd4-a7e4-f7e0bcc791ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397083/
Detection(s):
SecuriteInfo.com.Variant.Zusy.471739.23330.20570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Searching for synchronization primitives
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90045/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/64826f0842643c8ff4f00e65/reports/6e2535d6-4058-4d44-a7e9-c3f31488ab0a/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/f7b3caf96d26314be264310c3440d238a22205e841c3991b508a920ac430d4b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f20fc186-6abe-4948-ae60-0f0565668910
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1251614
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Go Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884634 Sample: rMRyXHcqPD.exe Startdate: 09/06/2023 Architecture: WINDOWS Score: 92 109 Multi AV Scanner detection for submitted file 2->109 111 Yara detected Go Stealer 2->111 113 Machine Learning detection for sample 2->113 11 rMRyXHcqPD.exe 1 2->11         started        14 main.exe 2->14         started        process3 signatures4 121 Writes to foreign memory regions 11->121 123 Allocates memory in foreign processes 11->123 125 Injects a PE file into a foreign processes 11->125 16 AppLaunch.exe 35 11->16         started        21 WerFault.exe 24 9 11->21         started        23 conhost.exe 11->23         started        127 Tries to harvest and steal browser information (history, passwords, etc) 14->127 25 chrome.exe 14->25         started        process5 dnsIp6 91 199.101.134.238 WZCOM-US United States 16->91 93 204.155.145.50 WZCOM-US United States 16->93 101 2 other IPs or domains 16->101 65 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 16->65 dropped 67 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 16->67 dropped 69 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 16->69 dropped 73 15 other malicious files 16->73 dropped 115 Tries to harvest and steal browser information (history, passwords, etc) 16->115 117 DLL side loading technique detected 16->117 27 Updater_x86.exe 9 16->27         started        30 Chr0me.exe 40 16->30         started        33 conhost.exe 16->33         started        95 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->95 97 8.8.8.8 GOOGLEUS United States 21->97 99 192.168.2.1 unknown unknown 21->99 71 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->71 dropped 35 chrome.exe 25->35         started        37 chrome.exe 25->37         started        39 chrome.exe 25->39         started        41 chrome.exe 25->41         started        file7 signatures8 process9 file10 83 C:\Users\user\AppData\Local\...\main.sfx.exe, PE32 27->83 dropped 85 C:\Users\user\AppData\Local\Temp\Cmain.exe, PE32 27->85 dropped 43 main.sfx.exe 7 27->43         started        46 Cmain.exe 11 27->46         started        87 C:\Users\user\AppData\Roaming\...\readme.txt, Unicode 30->87 dropped 129 Tries to steal Crypto Currency Wallets 30->129 48 conhost.exe 30->48         started        signatures11 process12 file13 89 C:\Users\user\AppData\Local\main.exe, PE32+ 43->89 dropped 50 main.exe 91 43->50         started        process14 dnsIp15 103 163.181.56.174 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 50->103 105 13.107.246.60 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->105 107 4 other IPs or domains 50->107 75 C:\Users\user\...\notification_helper.exe, PE32+ 50->75 dropped 77 C:\Users\user\AppData\...\mojo_core.dll, PE32+ 50->77 dropped 79 C:\Users\user\AppData\Roaming\...\libEGL.dll, PE32+ 50->79 dropped 81 9 other files (8 malicious) 50->81 dropped 119 Antivirus detection for dropped file 50->119 55 chrome.exe 50->55         started        file16 signatures17 process18 process19 57 chrome.exe 55->57         started        59 chrome.exe 55->59         started        61 chrome.exe 55->61         started        63 chrome.exe 55->63         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7b3caf96d26314be264310c3440d238a22205e841c3991b508a920ac430d4b3/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-06-09 00:15:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=66z4v6lneyyuxytegegdiqgshcrcebpiihbzsg2qrkjavrbq2szq._file
Verdict:
malicious
Similar samples:
26bc9287f34be69cef7beca9e91c4a4f1de6f5934d9bc643f8d8de7754bda294
Amadey
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230609-ajw6eaae33/
Behaviour
GoLang User-Agent
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
0ebc7abcbcf0aafbeddb323fead55816a1d92bf4230c9fdfc0a5b3bf464e974f
MD5 hash:
ed574347f0eab6548ddfb491286bc867
SHA1 hash:
47783a2a4c7ab5da89a617efe60ebf8ba05a829d
Link:
https://www.unpac.me/results/32df0c08-7da9-433b-b3fa-a2b164580d34/
SH256 hash:
f7b3caf96d26314be264310c3440d238a22205e841c3991b508a920ac430d4b3
MD5 hash:
df3795e6842e839cf45e694b7164ee17
SHA1 hash:
7e4759a3f10adbea349df5be94c96cbf327e4ce7
Link:
https://www.unpac.me/results/32df0c08-7da9-433b-b3fa-a2b164580d34/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f7b3caf96d26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.62
Link:
https://yomi.yoroi.company/submissions/f7b3caf96d26314be264310c3440d238a22205e841c3991b508a920ac430d4b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe f7b3caf96d26314be264310c3440d238a22205e841c3991b508a920ac430d4b3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/397083/
  
URLhaus
https://urlhaus.abuse.ch/url/2656000/

Comments


Avatar
zbet commented on 2023-06-09 00:14:48 UTC

url : hxxps://www.4sync.com/web/directDownload/igaBJAAR/CR-5VsXM.3be03c203d0b0f735034a5e3ffe1d0f2/