MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6
SHA3-384 hash: c13a49d1c6163eab922263011e7fed8fc8e7b00bec1460f28439f4f7b1a3350c17bd13f3ae78ba5a9dae2771a0b977ba
SHA1 hash: c2a4b4fddc24ea17d7eeabe7e4bfbef2dda7bf5e
MD5 hash: 1138ad3f2c41c0d6a3dfe6a8800e5e48
humanhash: september-ink-wolfram-charlie
File name:lr227634.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:276'992 bytes
First seen:2023-05-13 22:53:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8cb869f42d9744fa3286b04b1d083ca7 (4 x Amadey, 1 x Stop, 1 x TeamBot)
ssdeep 3072:rE4GysoDOpvJlsk7nkKmcR58QAXCKPtxkEmwZX45HceFhZOrV:o4GyqpvJfX/NKbgwk3Yr
Threatray 4'747 similar samples on MalwareBazaar
TLSH T12D44E1207BB1C777E96706759878F7E56A2FBC509B68C49B323C1B5B2C303C19AA5312
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4031195915557501 (2 x Amadey)
Reporter JaffaCakes118
Tags:Amadey

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
lr227634.exe
Verdict:
Malicious activity
Analysis date:
2023-05-14 00:25:18 UTC
Tags:
amadey trojan
Link:
https://app.any.run/tasks/d8b6ebb9-d262-4ec3-ba5a-b2152df04e53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/389125/
Detection(s):
Sanesecurity.Malware.29231.BadIN.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83992/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
babar greyware packed
Link:
https://www.filescan.io/uploads/64601512e6ddc946fb821768/reports/a5fcfea5-a413-4cf0-ba60-11aaaabea063/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a702504e-ff57-4a90-a831-d01bf3b39ac7
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232452
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865432 Sample: lr227634.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 6 other signatures 2->54 7 lr227634.exe 4 2->7         started        process3 file4 30 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 7->30 dropped 32 C:\Users\user\...\oneetx.exe:Zone.Identifier, ASCII 7->32 dropped 56 Detected unpacking (changes PE section rights) 7->56 58 Detected unpacking (overwrites its own PE header) 7->58 60 Contains functionality to inject code into remote processes 7->60 11 oneetx.exe 7->11         started        15 WerFault.exe 9 7->15         started        18 WerFault.exe 9 7->18         started        20 8 other processes 7->20 signatures5 process6 dnsIp7 46 77.91.124.207, 80 ECOTEL-ASRU Russian Federation 11->46 62 Multi AV Scanner detection for dropped file 11->62 64 Detected unpacking (changes PE section rights) 11->64 66 Detected unpacking (overwrites its own PE header) 11->66 68 2 other signatures 11->68 22 WerFault.exe 11->22         started        24 WerFault.exe 11->24         started        26 WerFault.exe 11->26         started        28 6 other processes 11->28 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->42 dropped 44 5 other malicious files 20->44 dropped file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 21:43:53 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
32 of 37 (86.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vzbc3mepdfaicfztptsw5xdcygn2vpiczpk64sbx5qgm35xuota._file
Verdict:
malicious
Similar samples:
0f91f82218d734d2f86b6a1fa0b6c8743e031caf1ce6481e138201309eaf224f
Amadey
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
Amadey
49ef5dfc5d3fd6c2e10a0f95381b0ee163f30653a7a6ecebd7bce2a935ec3982
Amadey
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
Amadey
810f1a0909c64f4f0e404f819f191ccee14ed773ac3d75a9849c10db734a0d68
Amadey
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
Amadey
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
Amadey
e6270068394194d400ccb6422ccaa72da89179294525d6aa0c615bd1519d685d
Amadey
f984811ca20f0022a21840ccd29a68b8a39d44569b4ecdb9634405e4f404af57
Amadey
fda782d36cbd967d0c3f037110e2419d4676af0a089648fb8c6f8656e97fdb83
Amadey
+ 4'737 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey trojan
Link:
https://tria.ge/reports/230513-2vnf7aca8y/
Behaviour
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
77.91.124.207/plays/chapter/index.php
Unpacked files
SH256 hash:
eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
MD5 hash:
6c07711a17452b855149a95cda6fc830
SHA1 hash:
5b3252c2567de78f9ae68764d4e30511a509fdcc
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/dd523487-6642-45eb-85d9-c088b82b9487/
Parent samples :
7a420492a6b132a40688165f244fec62096338b64d77e8921d587b33c85b71fb
3ce59f4740e06e135b214f2345f4ca167586b83aa2afdfbb4ade797d90e5c85d
6fed2ab08446e6cdb2c0ba81f108d3eaf5186ab8f45d6cd3d27d86bcf77a99e4
53069da8103b319980e687cba051c0f6a49e1806bf6cb30826b65f3507098e40
47de00d106dd237c87aac8014aff32244f8c974dee45dbd512228f15673410e4
413077cd3d7ea70a8fd41233059bcb09770d2519de529d0b10d8c7cc230a67d5
e764e32c75d2e764cf3f669ea31186db89a02b6f9f0faa77d0849f0cc771306b
f5993e37f845fc2f815ae5619b6be60af7f5befb058abaebbf3529006575982c
98afba82f88849389fa6381d3aa194a2fdbf425aae9b3fb7ad40ccd80d586749
beed521707a73b04283324055c87eb566c4ec8b93d0c12c0f01671c7897e8ad5
6bd68b7e22845afd09f658e7327669685342759cf434b8cba1103da610144658
beecd363e2e6f1e8d147ff961311dcce119db257ea496f1530ba0e6f9d222698
ca2b0934931d7c6d9a0f93349de8579eb16a69ec279fd5973beab4af958048ac
c64c01e4b5c676fdaf6a9f813225cb506d3bf8207f625b825859b8f4c2732436
d9196919ac692942d5188b30b150be23726eb32338e3da97e1555d2cd6f03b74
5af367329e970fc924f0ad370490c6383a32faf73ce67e3e167c2e101ee91fce
6d38b6161680aa4e76f1197bba369906b8dd63c768810c141869f0314cd9adc8
49137bb422c2bafc8cc220c600cb4cd747d520f1bb360be181aa0dcf556e3a4d
fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6
SH256 hash:
fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6
MD5 hash:
1138ad3f2c41c0d6a3dfe6a8800e5e48
SHA1 hash:
c2a4b4fddc24ea17d7eeabe7e4bfbef2dda7bf5e
Link:
https://www.unpac.me/results/dd523487-6642-45eb-85d9-c088b82b9487/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd72116d8478ca0408b99be72b76e3160cdd55e8165eaf7241bf60666fb7a3a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389125/

Comments