MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Amadey
Vendor detections: 16
| SHA256 hash: | f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c |
|---|---|
| SHA3-384 hash: | 14029388b8a3918a7fcba39bde855550156fdd1116019c8c07896c63fb12140d2ae441f5c06ac1b36a6b729c54c2f21a |
| SHA1 hash: | e3d72a3dd3e82fc1aeee07a4954485c6a71610e1 |
| MD5 hash: | 72d8d55daaaea363d2202ce5fb503b1e |
| humanhash: | chicken-cold-robin-finch |
| File name: | f81da8996e34359d2d78929ffc5cf829eb102f9267696.exe |
| Download: | download sample |
| Signature | Amadey |
| File size: | 1'364'992 bytes |
| First seen: | 2023-09-06 22:46:12 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader) |
| ssdeep | 24576:+yS0lf5x1ayTDHmx2AtuXcwYiDta+CbVeJF6seA/2kXjhPuTY:NSsrlPgLwb3PeLkX8 |
| Threatray | 1'863 similar samples on MalwareBazaar |
| TLSH | T18D55234797F09172F4B10B70A4F607930B377C618D65A37F36A6688A1E722C68A3537B |
| TrID | 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) |
| File icon (PE): |  |
| dhash icon | f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader) |
| Reporter |  abuse_ch |
| Tags: | Amadey exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
291
Origin country :
NLVendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
f81da8996e34359d2d78929ffc5cf829eb102f9267696.exe
Verdict:
Malicious activity
Analysis date:
2023-09-06 22:46:47 UTC
Tags:
stealc stealer redline amadey botnet trojan opendir loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Connecting to a non-recommended domain
Sending an HTTP POST request
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Crifi.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Verdict:
Malicious
Result
Threat name:
Amadey, Mystic Stealer, RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Amadey
Status:
Malicious
First seen:
2023-09-06 18:33:07 UTC
File Type:
PE (Exe)
Extracted files:
347
AV detection:
19 of 24 (79.17%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 1'853 additional samples on MalwareBazaar
Result
Malware family:
redline
Score:
10/10
Tags:
family:amadey family:redline botnet:mrak infostealer persistence trojan
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
RedLine
Malware Config
C2 Extraction:
77.91.68.52/mac/index.php
77.91.124.82:19071
77.91.124.82:19071
Unpacked files
SH256 hash:
81aa2e80fbceb1bafc1c88cba1286221edd837bede5f66a08fdf9f93b65b5931
MD5 hash:
4890b43792b80b0b585a198e76355db1
SHA1 hash:
fc2e70a931e6c4d4a9ab702bcca5dbe70e086130
Detections:
Amadey
Parent samples :
b80293318467bc0d3c8e676ef544ef9e973eb14150740338c2ddc0f5671494ee
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
7618db26dc150c1237d7cdde1c587e2f437d1e0e7db8e1fe7b34038a1837922a
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
8ec4090935de015f46e08416f184677b909b2a7cf1d20dc5e5093448e52ebb63
0272c4a874a3cd4dca12efcd877a694be1ef7fb94c98d17b4eeb7950322df4b8
066f392f47768baba4e64a750d8c99ddfe8c478d60ebe05940c51e60413d55f5
c256b9e29a8afbf29ab034dc3a2f9d5471ed96c11a571a1488a4b4b239358030
7c70cd2c5fc2c2b8a6fe10f9146baec1c1ab59d1e68af2200fb8e288118117f1
ae4adf02ab9a9c7a620e862b15a58f52e1fccfed1c037c7c9391ac58772d879f
8a03c0f12e37253db733b4fab4b408da428e76befcb89e07a38be181c635badb
3f25901317aebc10c1e629d57a681af123d22c108041a7b6e32b9c73fb68ab6b
2e3f68e6d0f5ec5ff7b76b407afd11ea2c8953f3d18b0ca936ddf60485bd64e8
66af14d6592e8faff5fd3272e970e5504db7a3cab76f9ffb3166b8ec2d8f595d
629dcbb4561608db7414a066608d04fa31bd03f9cb851541a425241137089f69
fdac697e3ebc8b14068aaaa8fa611eb8bb9eb10b245ff3f964fbc4aec14e64c5
de2054cdf6e9cb7d4b919f75d6de21f5495485cb5895818290cf76a1c891e40c
f8622648a071fa266b754a80f29c31bf60e3fb3b08f5b34ff20fc701ccbe162b
8cf67c6e6e65d32b37c85ea49b31ce86586fd96db10ec6144f22196e63ad3d5b
0d761392bbee9971fa37c751abbe23eb4c321130cc9997598993808da09959cb
5338760998fa35f5921c77eed3ea5baebd1a76eef432cf287a5cf2d3bf474a5a
154c1776876efc50c5f967d8522e52b3166acb41066c1545a23d675bfaf8ad61
535f96886d7e7191f1b678a522b0aab54b8316c69048466e1358406420cbc962
dae5bfaf48654693ff2b04632bf8faf9b55245ad386d0a8a7c2bedaec3455b0d
698e2b8858d93ebe9f612edd87559cfabe61b6fbdc7fe5c56ac8ffeb83eb01ef
2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
a93b9595d044bb82b6e57302b12a6b6b0e2e73709793e981ac013cc2dee3f478
d303e5a89bf8a298fb251b8787b820a23a1de49f9deb8e3912c45476e82d1c12
0bce887db3f2804a956bd717f24d00949e3e50bf56f599854b17e2744c4e77cf
e2e2212e0e0e8c7ef874f77ffb96b94ecaf83aef20f1fbb3570e04fdd893264a
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
9363f5619c83680d343ba9202a48267bb59bfd7664e9c5572d7e47ff6b345b46
8b95af174d1873982c36cf8456debf0816e920555938603dfd4bcdc733e786c1
917df51788e12073af3eaf072b658f4d12cd2187966a110e37521681dfbf6872
db57f0ca9ed05c3ea9168edec891cf155bd6e054a004520cb27a2caf25804665
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
7618db26dc150c1237d7cdde1c587e2f437d1e0e7db8e1fe7b34038a1837922a
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
8ec4090935de015f46e08416f184677b909b2a7cf1d20dc5e5093448e52ebb63
0272c4a874a3cd4dca12efcd877a694be1ef7fb94c98d17b4eeb7950322df4b8
066f392f47768baba4e64a750d8c99ddfe8c478d60ebe05940c51e60413d55f5
c256b9e29a8afbf29ab034dc3a2f9d5471ed96c11a571a1488a4b4b239358030
7c70cd2c5fc2c2b8a6fe10f9146baec1c1ab59d1e68af2200fb8e288118117f1
ae4adf02ab9a9c7a620e862b15a58f52e1fccfed1c037c7c9391ac58772d879f
8a03c0f12e37253db733b4fab4b408da428e76befcb89e07a38be181c635badb
3f25901317aebc10c1e629d57a681af123d22c108041a7b6e32b9c73fb68ab6b
2e3f68e6d0f5ec5ff7b76b407afd11ea2c8953f3d18b0ca936ddf60485bd64e8
66af14d6592e8faff5fd3272e970e5504db7a3cab76f9ffb3166b8ec2d8f595d
629dcbb4561608db7414a066608d04fa31bd03f9cb851541a425241137089f69
fdac697e3ebc8b14068aaaa8fa611eb8bb9eb10b245ff3f964fbc4aec14e64c5
de2054cdf6e9cb7d4b919f75d6de21f5495485cb5895818290cf76a1c891e40c
f8622648a071fa266b754a80f29c31bf60e3fb3b08f5b34ff20fc701ccbe162b
8cf67c6e6e65d32b37c85ea49b31ce86586fd96db10ec6144f22196e63ad3d5b
0d761392bbee9971fa37c751abbe23eb4c321130cc9997598993808da09959cb
5338760998fa35f5921c77eed3ea5baebd1a76eef432cf287a5cf2d3bf474a5a
154c1776876efc50c5f967d8522e52b3166acb41066c1545a23d675bfaf8ad61
535f96886d7e7191f1b678a522b0aab54b8316c69048466e1358406420cbc962
dae5bfaf48654693ff2b04632bf8faf9b55245ad386d0a8a7c2bedaec3455b0d
698e2b8858d93ebe9f612edd87559cfabe61b6fbdc7fe5c56ac8ffeb83eb01ef
2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
a93b9595d044bb82b6e57302b12a6b6b0e2e73709793e981ac013cc2dee3f478
d303e5a89bf8a298fb251b8787b820a23a1de49f9deb8e3912c45476e82d1c12
0bce887db3f2804a956bd717f24d00949e3e50bf56f599854b17e2744c4e77cf
e2e2212e0e0e8c7ef874f77ffb96b94ecaf83aef20f1fbb3570e04fdd893264a
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
9363f5619c83680d343ba9202a48267bb59bfd7664e9c5572d7e47ff6b345b46
8b95af174d1873982c36cf8456debf0816e920555938603dfd4bcdc733e786c1
917df51788e12073af3eaf072b658f4d12cd2187966a110e37521681dfbf6872
db57f0ca9ed05c3ea9168edec891cf155bd6e054a004520cb27a2caf25804665
SH256 hash:
23ab8940b2d77bac7caa36a34b763a34aedf6db448b0be3d1b6ae6b4e0f0e6fb
MD5 hash:
bc23924907da63cc009457d65303d256
SHA1 hash:
8a0db3b3e77be73192d1ca7fe20e2e18939929da
Detections:
redline
Parent samples :
b80293318467bc0d3c8e676ef544ef9e973eb14150740338c2ddc0f5671494ee
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
7618db26dc150c1237d7cdde1c587e2f437d1e0e7db8e1fe7b34038a1837922a
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
8ec4090935de015f46e08416f184677b909b2a7cf1d20dc5e5093448e52ebb63
0272c4a874a3cd4dca12efcd877a694be1ef7fb94c98d17b4eeb7950322df4b8
066f392f47768baba4e64a750d8c99ddfe8c478d60ebe05940c51e60413d55f5
c256b9e29a8afbf29ab034dc3a2f9d5471ed96c11a571a1488a4b4b239358030
7c70cd2c5fc2c2b8a6fe10f9146baec1c1ab59d1e68af2200fb8e288118117f1
ae4adf02ab9a9c7a620e862b15a58f52e1fccfed1c037c7c9391ac58772d879f
8a03c0f12e37253db733b4fab4b408da428e76befcb89e07a38be181c635badb
3f25901317aebc10c1e629d57a681af123d22c108041a7b6e32b9c73fb68ab6b
2e3f68e6d0f5ec5ff7b76b407afd11ea2c8953f3d18b0ca936ddf60485bd64e8
66af14d6592e8faff5fd3272e970e5504db7a3cab76f9ffb3166b8ec2d8f595d
629dcbb4561608db7414a066608d04fa31bd03f9cb851541a425241137089f69
fdac697e3ebc8b14068aaaa8fa611eb8bb9eb10b245ff3f964fbc4aec14e64c5
de2054cdf6e9cb7d4b919f75d6de21f5495485cb5895818290cf76a1c891e40c
f8622648a071fa266b754a80f29c31bf60e3fb3b08f5b34ff20fc701ccbe162b
8cf67c6e6e65d32b37c85ea49b31ce86586fd96db10ec6144f22196e63ad3d5b
0d761392bbee9971fa37c751abbe23eb4c321130cc9997598993808da09959cb
5338760998fa35f5921c77eed3ea5baebd1a76eef432cf287a5cf2d3bf474a5a
154c1776876efc50c5f967d8522e52b3166acb41066c1545a23d675bfaf8ad61
535f96886d7e7191f1b678a522b0aab54b8316c69048466e1358406420cbc962
dae5bfaf48654693ff2b04632bf8faf9b55245ad386d0a8a7c2bedaec3455b0d
698e2b8858d93ebe9f612edd87559cfabe61b6fbdc7fe5c56ac8ffeb83eb01ef
2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
a93b9595d044bb82b6e57302b12a6b6b0e2e73709793e981ac013cc2dee3f478
d303e5a89bf8a298fb251b8787b820a23a1de49f9deb8e3912c45476e82d1c12
0bce887db3f2804a956bd717f24d00949e3e50bf56f599854b17e2744c4e77cf
e2e2212e0e0e8c7ef874f77ffb96b94ecaf83aef20f1fbb3570e04fdd893264a
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
9363f5619c83680d343ba9202a48267bb59bfd7664e9c5572d7e47ff6b345b46
8b95af174d1873982c36cf8456debf0816e920555938603dfd4bcdc733e786c1
917df51788e12073af3eaf072b658f4d12cd2187966a110e37521681dfbf6872
db57f0ca9ed05c3ea9168edec891cf155bd6e054a004520cb27a2caf25804665
49b2c4652c7c95e8786bc270aee1d8384c75a7164f0f3df0baae7fdab571a347
134d00e4db5cd67b9541db642d43e890de20175bc4b55445c3007e5a02b5a238
83890d88f756c2fa05e683e88a06062ce4dbbeefaf74c0241badb294c14b0aeb
7618db26dc150c1237d7cdde1c587e2f437d1e0e7db8e1fe7b34038a1837922a
f289dc187746f60222a915c4d520ef035da75b6a6fd7e569ed111aab07bd8856
8ec4090935de015f46e08416f184677b909b2a7cf1d20dc5e5093448e52ebb63
0272c4a874a3cd4dca12efcd877a694be1ef7fb94c98d17b4eeb7950322df4b8
066f392f47768baba4e64a750d8c99ddfe8c478d60ebe05940c51e60413d55f5
c256b9e29a8afbf29ab034dc3a2f9d5471ed96c11a571a1488a4b4b239358030
7c70cd2c5fc2c2b8a6fe10f9146baec1c1ab59d1e68af2200fb8e288118117f1
ae4adf02ab9a9c7a620e862b15a58f52e1fccfed1c037c7c9391ac58772d879f
8a03c0f12e37253db733b4fab4b408da428e76befcb89e07a38be181c635badb
3f25901317aebc10c1e629d57a681af123d22c108041a7b6e32b9c73fb68ab6b
2e3f68e6d0f5ec5ff7b76b407afd11ea2c8953f3d18b0ca936ddf60485bd64e8
66af14d6592e8faff5fd3272e970e5504db7a3cab76f9ffb3166b8ec2d8f595d
629dcbb4561608db7414a066608d04fa31bd03f9cb851541a425241137089f69
fdac697e3ebc8b14068aaaa8fa611eb8bb9eb10b245ff3f964fbc4aec14e64c5
de2054cdf6e9cb7d4b919f75d6de21f5495485cb5895818290cf76a1c891e40c
f8622648a071fa266b754a80f29c31bf60e3fb3b08f5b34ff20fc701ccbe162b
8cf67c6e6e65d32b37c85ea49b31ce86586fd96db10ec6144f22196e63ad3d5b
0d761392bbee9971fa37c751abbe23eb4c321130cc9997598993808da09959cb
5338760998fa35f5921c77eed3ea5baebd1a76eef432cf287a5cf2d3bf474a5a
154c1776876efc50c5f967d8522e52b3166acb41066c1545a23d675bfaf8ad61
535f96886d7e7191f1b678a522b0aab54b8316c69048466e1358406420cbc962
dae5bfaf48654693ff2b04632bf8faf9b55245ad386d0a8a7c2bedaec3455b0d
698e2b8858d93ebe9f612edd87559cfabe61b6fbdc7fe5c56ac8ffeb83eb01ef
2190623b860d6783e4c6758c057ceecb9023c3b89b824cacc74e6a9c84ed99c1
a93b9595d044bb82b6e57302b12a6b6b0e2e73709793e981ac013cc2dee3f478
d303e5a89bf8a298fb251b8787b820a23a1de49f9deb8e3912c45476e82d1c12
0bce887db3f2804a956bd717f24d00949e3e50bf56f599854b17e2744c4e77cf
e2e2212e0e0e8c7ef874f77ffb96b94ecaf83aef20f1fbb3570e04fdd893264a
30ef7d299dcc5ad838d0b2a648e9976e601f42820c6581871d6a0a8df7dc993c
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
9363f5619c83680d343ba9202a48267bb59bfd7664e9c5572d7e47ff6b345b46
8b95af174d1873982c36cf8456debf0816e920555938603dfd4bcdc733e786c1
917df51788e12073af3eaf072b658f4d12cd2187966a110e37521681dfbf6872
db57f0ca9ed05c3ea9168edec891cf155bd6e054a004520cb27a2caf25804665
SH256 hash:
729434e7582bea15ec03b2b2ff3b5f50effb2e1304d4f9648454a3b8ad1dc97c
MD5 hash:
cd91e02431fc5f29ff209feceb5fffec
SHA1 hash:
14f2a956476f814817045ca597a1b354ce924ce3
SH256 hash:
476a578cafc423231f5a5c164c42ae35213b020c69327acf14817429189dac0a
MD5 hash:
ff1b2e0de07ca29b5be1a1547f32c41e
SHA1 hash:
ef1ee7986021c025f089c8c14940a29fa28e4374
SH256 hash:
f81da8996e34359d2d78929ffc5cf829eb102f92676960936f42bcfcf6085a8c
MD5 hash:
72d8d55daaaea363d2202ce5fb503b1e
SHA1 hash:
e3d72a3dd3e82fc1aeee07a4954485c6a71610e1
Malware family:
RedLine.E
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | detect_Redline_Stealer |
|---|---|
| Author: | Varp0s |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.