MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49
SHA3-384 hash: 7064886c754ab0160bf4d8f478feead20ba431d35c29fed076e4546a7db49f7ed03ca96a4dc7e43f6a43065404025fdb
SHA1 hash: f4cb93a9a4b72415ae037bdc690e36dd4fa3005f
MD5 hash: 448c9ac1b2bc184587e607f5d894e45c
humanhash: seventeen-ack-social-hydrogen
File name:448c9ac1b2bc184587e607f5d894e45c.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:785'408 bytes
First seen:2023-07-15 17:45:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:mMryy90CiETvrA5s8/7FGMEFSkF6PWu+mNFX8zeamYds73+kr9kAgCM:QyNiE7rK/5i0kF6PW2NdYdsakrc
TLSH T13EF4122267E99433E9F2577068F3129307367DA2AD7853673BA9EC8E58312C49036377
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
77.91.68.56:19071

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
448c9ac1b2bc184587e607f5d894e45c.exe
Verdict:
Malicious activity
Analysis date:
2023-07-16 00:52:09 UTC
Tags:
rat redline amadey trojan opendir loader
Link:
https://app.any.run/tasks/e5a9336a-bb47-47dc-99e7-f985ca073411

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/420672/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Creating a window
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB confuserex control explorer installer lolbin lolbin packed packed replace rundll32 setupapi shell32 stealer
Link:
https://www.filescan.io/uploads/64b2db5bf3c193545ac590f9/reports/85fb5f4a-7331-48b7-a519-5bd86c46baad/overview
Verdict:
Malicious
Labled as:
TR/Disabler.ocayi
Link:
https://www.hybrid-analysis.com/sample/fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46d8bbf6-24f2-4650-bd11-691928dd76cd
Result
Threat name:
Amadey, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273659
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273659 Sample: UGkcJyob8w.exe Startdate: 15/07/2023 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 15 other signatures 2->86 11 UGkcJyob8w.exe 1 4 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 6 other processes 2->18 process3 file4 70 C:\Users\user\AppData\Local\...\x6645791.exe, PE32 11->70 dropped 72 C:\Users\user\AppData\Local\...\i6095937.exe, PE32 11->72 dropped 20 x6645791.exe 1 4 11->20         started        process5 file6 58 C:\Users\user\AppData\Local\...\x7502974.exe, PE32 20->58 dropped 60 C:\Users\user\AppData\Local\...\h3145064.exe, PE32 20->60 dropped 88 Antivirus detection for dropped file 20->88 90 Machine Learning detection for dropped file 20->90 24 x7502974.exe 1 4 20->24         started        signatures7 process8 file9 66 C:\Users\user\AppData\Local\...\g8836004.exe, PE32 24->66 dropped 68 C:\Users\user\AppData\Local\...\f2204582.exe, PE32 24->68 dropped 100 Antivirus detection for dropped file 24->100 102 Machine Learning detection for dropped file 24->102 28 g8836004.exe 3 24->28         started        32 f2204582.exe 5 24->32         started        signatures10 process11 dnsIp12 74 C:\Users\user\AppData\Local\...\danke.exe, PE32 28->74 dropped 104 Antivirus detection for dropped file 28->104 106 Multi AV Scanner detection for dropped file 28->106 108 Machine Learning detection for dropped file 28->108 110 Contains functionality to inject code into remote processes 28->110 35 danke.exe 17 28->35         started        76 77.91.68.56, 19071, 49695 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 32->76 112 Found evasive API chain (may stop execution after checking mutex) 32->112 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->116 118 Tries to harvest and steal browser information (history, passwords, etc) 32->118 40 conhost.exe 32->40         started        file13 signatures14 process15 dnsIp16 78 77.91.68.3, 49696, 49697, 49698 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 35->78 62 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 35->62 dropped 64 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 35->64 dropped 92 Antivirus detection for dropped file 35->92 94 Multi AV Scanner detection for dropped file 35->94 96 Creates an undocumented autostart registry key 35->96 98 2 other signatures 35->98 42 cmd.exe 35->42         started        44 schtasks.exe 1 35->44         started        46 rundll32.exe 35->46         started        file17 signatures18 process19 process20 48 conhost.exe 42->48         started        50 cmd.exe 42->50         started        52 cacls.exe 42->52         started        56 4 other processes 42->56 54 conhost.exe 44->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-07-15 17:46:06 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7swiz5vscnlr75tb3g5wtjj4awowt33pnbmlqmdja22voxiu5veq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lamp infostealer persistence
Link:
https://tria.ge/reports/230715-wb98ysbe67/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.68.56:19071
Unpacked files
SH256 hash:
de6b45cf5ffb6a69cdb572b5c208d80447fb71bd2426f1573ad8402fecb5e1d6
MD5 hash:
253e99673c3851f4e1b5df579377c62a
SHA1 hash:
e7aa51080749291cf7a86e9d68c1439a9ea48953
Link:
https://www.unpac.me/results/2d9d3482-1daa-4099-b0f1-fda25136e4bc/
SH256 hash:
d3ced892fe912e4daa227cd24aba36fbad5a68cde1c80a53ad7d28406ee14d2b
MD5 hash:
db683c2b1e5eb020e9f6b56c346660ca
SHA1 hash:
718603712af0ab661fdd40d8dd2d3c7e3ea9efc2
Link:
https://www.unpac.me/results/2d9d3482-1daa-4099-b0f1-fda25136e4bc/
SH256 hash:
57686eff9e3155bce9549f3df79e1196a913765a299bbf643e6d58b7cddebf9c
MD5 hash:
20052ceaade9d5628ffbfca7189e441a
SHA1 hash:
fadf73fe43acac8b690b2dd21d6822d5d44f7c51
Link:
https://www.unpac.me/results/2d9d3482-1daa-4099-b0f1-fda25136e4bc/
SH256 hash:
814a68993645dbb727ca80c7e840eb10c427929d5859ce97a39ec52f882ea3ae
MD5 hash:
d74d37df9cc9b7a45517e8dda6fc0833
SHA1 hash:
0dd99bc506c4ce7b41ff40925e6e1b363478c59c
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/2d9d3482-1daa-4099-b0f1-fda25136e4bc/
Parent samples :
96357b5ab44f1feadf33064dd5bb5be64e15051acb9bf7d14c5c708225ffb7df
5c392e2a2961e96d305b3ed9af854e043f75ae80b219c612fbc6cd000399f7d6
c723ad5514f1c882ec25abe3f86f8c37845ca600747a258a5d54ac596d27f6df
6c411da48b1bf36ea29f2f6e02278bb6caaf29ab4feece5daabe4dbbf50772d2
fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49
cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e
2cd70321a7f4a39e0fa291841d388eb1f565c800d45aea6db90af9081462fd17
75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af
SH256 hash:
565e63ab5dbf212fd131e75850a3efd6bf3ce83a61c4420a0dd9417e8e792277
MD5 hash:
f90e08eb3a13ea9d81af02fa263c3d06
SHA1 hash:
2bd3cf2cd1eab83b823307782042b3c4b39e2065
Link:
https://www.unpac.me/results/2d9d3482-1daa-4099-b0f1-fda25136e4bc/
SH256 hash:
a9edf7e12022496bf9ebc108deaee738b1590c3a0b0d93a402224cc6b702f660
MD5 hash:
bb669d2a48265e40ba34a3dd09591f2a
SHA1 hash:
9a30228fb98c45c2382b7872e946f62f5136515c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2d9d3482-1daa-4099-b0f1-fda25136e4bc/
Parent samples :
fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49
2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c
SH256 hash:
fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49
MD5 hash:
448c9ac1b2bc184587e607f5d894e45c
SHA1 hash:
f4cb93a9a4b72415ae037bdc690e36dd4fa3005f
Link:
https://www.unpac.me/results/2d9d3482-1daa-4099-b0f1-fda25136e4bc/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fcac8cf6b213/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe fcac8cf6b213571ff661d9bb69a53c059d69ef6f6858b8306906b5575d14ed49

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2679553/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/420672/

Comments