MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 19

Intelligence 19 IOCs YARA File information Comments

SHA256 hash:	fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6
SHA3-384 hash:	6d28d694f9b33e0ddcd73ee4b6794a7b4af303176ae2a2fdd220efc812859f2b94efd5981b340571df1b0eca5f117de5
SHA1 hash:	78b4b41dd105c1804fd7a7045dd23f2ad2fbb11e
MD5 hash:	e7944fbef4e92cf6667d6750d317e28e
humanhash:	neptune-india-ceiling-crazy
File name:	fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	445'440 bytes
First seen:	2024-09-09 15:34:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f0ba1e2fafb46228d56b5d07719ed13d (1 x Amadey)
ssdeep	12288:R1XZBN34wZV6Vz1trU6id8lEUZbZB45u2OM9NH:RjBNIwZV6Vz1xUjTSbMH9NH
Threatray	387 similar samples on MalwareBazaar
TLSH	T13C945C213966C032C65092711E68FFF694DDE9259B7109CB77C40F7BAE211E26A31F3A
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Chainskilabs
Tags:	Amadey exe

Intelligence

File Origin

# of uploads :

# of downloads :

445

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

a6d1a352c9897c96797c7bdc7599b07b3c6704655de2beacb3523eb04cbac6eb

Verdict:

Malicious activity

Analysis date:

2024-09-09 15:10:36 UTC

Tags:

loader amadey botnet stealer

Link:

https://app.any.run/tasks/77d72c8b-bcdd-45a7-a59f-74ebd0962184

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Generic-10033391-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66df15a976bc4542b049474e

Tags:

Infostealer Network Stealth Trojan

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file

Creating a window

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

DNS request

Delayed reading of the file

Connection attempt

Sending an HTTP POST request

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

amadey epmicrosoft_visual_cc lolbin microsoft_visual_cc shell32

Link:

https://www.filescan.io/uploads/66df15a6baa5cec8a70d2da7/reports/5a4aff79-35ad-4603-90b5-b5ca49e5aff0/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9cacfd1-b397-45cc-b58f-b08a5f61d7ea

Result

Threat name:

Amadey

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1508112

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2024-09-05 15:17:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7nvwpycm3xb536dgfwlzqajm6jdtfsbxyxcowreslar7mazlvs3a._file

Verdict:

malicious

Amadey

52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e

Amadey

a5fa23aabe7af2e9417da64e88817b272ac9941d6bdf80e98dca83296177cea7

Amadey

e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

Amadey

ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5

Amadey

+ 377 additional samples on MalwareBazaar

Result

Malware family:

amadey

Score:

10/10

Tags:

family:amadey botnet:41cd5f discovery trojan

Link:

https://tria.ge/reports/240909-s1ddqswajq/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Amadey

Malware Config

C2 Extraction:

http://specificsecurity.ru

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/31600563-fa17-4b00-9bda-dff7273031a0

Unpacked files

SH256 hash:

fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6

MD5 hash:

e7944fbef4e92cf6667d6750d317e28e

SHA1 hash:

78b4b41dd105c1804fd7a7045dd23f2ad2fbb11e

Detections:

win_amadey_auto

win_amadey

Link:

https://www.unpac.me/results/c3d5ddf2-cc82-4470-bb97-eb8542544c11/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fb6b67e04cdd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetSidSubAuthorityCount ADVAPI32.dll::GetSidSubAuthority
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipGetImageEncoders
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetSidIdentifierAuthority
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA SHELL32.dll::SHFileOperationA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::VirtualAllocEx KERNEL32.dll::WriteProcessMemory KERNEL32.dll::CloseHandle WININET.dll::InternetCloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetFileAttributesA KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameA ADVAPI32.dll::LookupAccountNameA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegGetValueA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryInfoKeyW ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample