MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d
SHA3-384 hash: abba0ecf0b6561c1a89ff6da347517060733da848a797aea656fbf13ff3fa48b1af7eb7ef1a0eb86bffc553be21654f7
SHA1 hash: 1eb6a7713b2956bad228a2d22b82b28578741c35
MD5 hash: ddf2aea0506931c450cf907bf002e9e0
humanhash: fourteen-arkansas-zulu-uranus
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:7'120'384 bytes
First seen:2023-12-03 16:48:14 UTC
Last seen:2023-12-06 12:33:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 196608:RWBi7WP9GeDVI5DKBWZlkgJedYs6LtYdEhqTgKDO:ROsWPkYVI5DK2NNs6LtYdEhSp
TLSH T1447633E6B380C528EC6725B9983A96FBA433B34E8C68551C3851BE0F3D33B06516795F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc418490229_668986288?hash=9cr5dbm3ctX0vAz1EKEA1HiTUUKXqkCvKyaKC3xiQms&dl=0ndV8a8J7IkA6qKoAoiLevgbeejkGh7zAMiXTtglB6T&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
13
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462161/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44629.27320.22895.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Sending an HTTP GET request
Creating a window
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Launching cmd.exe command interpreter
Launching a process
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive nymaim packed packed
Link:
https://www.filescan.io/uploads/656cb19b6d4756846dc6f7cf/reports/ec7363c9-82a4-4fd9-9f7d-72595f5f6850/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f252c9e2-f810-43ea-b083-99542e2d282c
Result
Threat name:
Amadey, Djvu, Glupteba, Petite Virus, Re
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352686
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Djvu Ransomware
Yara detected Glupteba
Yara detected Petite Virus
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352686 Sample: file.exe Startdate: 03/12/2023 Architecture: WINDOWS Score: 100 178 transfer.digitalmonks.org 2->178 180 lb.zenjabba.com 2->180 182 10 other IPs or domains 2->182 216 Multi AV Scanner detection for domain / URL 2->216 218 Found malware configuration 2->218 220 Malicious sample detected (through community Yara rule) 2->220 222 22 other signatures 2->222 15 file.exe 5 2->15         started        19 jiidsus 2->19         started        21 App.exe 2->21         started        23 6 other processes 2->23 signatures3 process4 dnsIp5 172 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 15->172 dropped 204 Query firmware table information (likely to detect VMs) 15->204 206 Injects a PE file into a foreign processes 15->206 208 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->208 26 file.exe 3 15->26         started        210 Detected unpacking (changes PE section rights) 19->210 212 Sample uses process hollowing technique 19->212 29 jiidsus 19->29         started        32 App.exe 21->32         started        188 127.0.0.1 unknown unknown 23->188 214 Uses cmd line tools excessively to alter registry or file data 23->214 34 conhost.exe 23->34         started        36 App.exe 23->36         started        file6 signatures7 process8 file9 146 C:\Users\user\AppData\Roaming\App.exe, PE32 26->146 dropped 38 App.exe 3 26->38         started        41 cmd.exe 1 26->41         started        254 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->254 256 Maps a DLL or memory area into another process 29->256 258 Checks if the current machine is a virtual machine (disk enumeration) 29->258 260 Creates a thread in another existing process (thread injection) 29->260 signatures10 process11 signatures12 224 Uses schtasks.exe or at.exe to add and modify task schedules 38->224 226 Injects a PE file into a foreign processes 38->226 43 App.exe 38->43         started        48 explorer.exe 38->48 injected 228 Very long command line found 41->228 50 cmd.exe 1 41->50         started        52 conhost.exe 41->52         started        process13 dnsIp14 192 185.172.128.19, 49707, 49710, 49711 NADYMSS-ASRU Russian Federation 43->192 194 check.graspalace.com 104.21.20.155, 49715, 80 CLOUDFLARENETUS United States 43->194 200 2 other IPs or domains 43->200 158 C:\Users\user\AppData\Local\Temp\...\tuc3.exe, PE32 43->158 dropped 160 C:\...\e0cbefcb1af40c7d4aff4aca26621a98.exe, PE32 43->160 dropped 162 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 43->162 dropped 170 5 other malicious files 43->170 dropped 262 Creates an undocumented autostart registry key 43->262 54 tuc3.exe 43->54         started        57 toolspub2.exe 43->57         started        60 e0cbefcb1af40c7d4aff4aca26621a98.exe 43->60         started        70 2 other processes 43->70 196 lb.zenjabba.com 208.99.62.244 ST-BGPUS Reserved 48->196 198 host-host-file8.com 193.106.174.249 IQHOSTRU Russian Federation 48->198 202 3 other IPs or domains 48->202 164 C:\Users\user\AppData\Roaming\jiidsus, PE32 48->164 dropped 166 C:\Users\user\AppData\Local\Temp\8B65.exe, PE32 48->166 dropped 168 C:\Users\user\AppData\Local\Temp\69C0.exe, PE32 48->168 dropped 264 System process connects to network (likely due to code injection or exploit) 48->264 266 Benign windows process drops PE files 48->266 268 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->268 62 8B65.exe 48->62         started        64 cmd.exe 48->64         started        66 cmd.exe 48->66         started        270 Very long command line found 50->270 68 powershell.exe 18 50->68         started        72 2 other processes 50->72 file15 signatures16 process17 file18 140 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 54->140 dropped 74 tuc3.tmp 54->74         started        230 Multi AV Scanner detection for dropped file 57->230 232 Detected unpacking (changes PE section rights) 57->232 234 Contains functionality to inject code into remote processes 57->234 236 Sample uses process hollowing technique 57->236 77 toolspub2.exe 57->77         started        238 Detected unpacking (overwrites its own PE header) 60->238 240 Found Tor onion address 60->240 242 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 60->242 85 2 other processes 60->85 244 Injects a PE file into a foreign processes 62->244 80 8B65.exe 62->80         started        246 Uses cmd line tools excessively to alter registry or file data 64->246 87 2 other processes 64->87 89 2 other processes 66->89 142 C:\Users\user\AppData\...142etwork3144Man.cmd, DOS 68->142 dropped 248 Suspicious powershell command line found 68->248 83 cmd.exe 68->83         started        91 3 other processes 68->91 144 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 70->144 dropped 93 2 other processes 70->93 signatures19 process20 dnsIp21 148 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 74->148 dropped 150 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 74->150 dropped 152 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 74->152 dropped 156 56 other files (44 malicious) 74->156 dropped 95 STDConio.exe 74->95         started        98 net.exe 74->98         started        100 STDConio.exe 74->100         started        103 schtasks.exe 74->103         started        272 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 77->272 274 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 77->274 276 Maps a DLL or memory area into another process 77->276 278 2 other signatures 77->278 176 api.2ip.ua 172.67.139.220 CLOUDFLARENETUS United States 80->176 154 C:\Users\user\AppData\Local\...\8B65.exe, PE32 80->154 dropped 105 icacls.exe 80->105         started        107 cmd.exe 83->107         started        110 conhost.exe 83->110         started        112 2 other processes 85->112 114 2 other processes 91->114 file22 signatures23 process24 dnsIp25 174 C:\ProgramData\...\SpaceRacesEX.exe, PE32 95->174 dropped 116 conhost.exe 98->116         started        118 net1.exe 98->118         started        184 efzydbn.ua 185.196.8.22 SIMPLECARRER2IT Switzerland 100->184 186 95.216.227.177 HETZNER-ASDE Germany 100->186 120 conhost.exe 103->120         started        250 Very long command line found 107->250 122 powershell.exe 107->122         started        126 conhost.exe 107->126         started        128 cmd.exe 107->128         started        130 conhost.exe 112->130         started        file26 signatures27 process28 dnsIp29 190 https.myvnc.com 192.71.172.29 TELIANETTeliaCarrierEU Sweden 122->190 252 Suspicious powershell command line found 122->252 132 powershell.exe 122->132         started        134 powershell.exe 122->134         started        136 powershell.exe 122->136         started        signatures30 process31 process32 138 conhost.exe 132->138         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-03 16:53:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zqgjzymgasusaclcxiprheuo5vlbyoobsfwxzqe4uxu267ky46q._file
Verdict:
malicious
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey evasion themida trojan
Link:
https://tria.ge/reports/231203-vbnjhsdb83/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Malware Config
C2 Extraction:
http://185.172.128.19
Unpacked files
SH256 hash:
dc2a31ebcef7e1b02ef0b2237da0e126dfebaa6a6336f829c0194b89793e239b
MD5 hash:
3d9dd0ed4f6deb6ad320d84fa5a40542
SHA1 hash:
f2daf79f4bfd1118856e13e1487c99259415d39e
Link:
https://www.unpac.me/results/f8d49ce1-31d5-4f57-9043-0ba241bc1984/
SH256 hash:
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
MD5 hash:
0099a99f5ffb3c3ae78af0084136fab3
SHA1 hash:
0205a065728a9ec1133e8a372b1e3864df776e8c
Detections:
win_amadey_auto
Create hunting rule
win_amadey_bytecodes_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/f8d49ce1-31d5-4f57-9043-0ba241bc1984/
Parent samples :
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d
SH256 hash:
51674486612e300fde800d8b11e5c3a4d3d2d164d903dcd64bcc42226b05c81a
MD5 hash:
ef1f42e650562f4ee6a1fecec8181997
SHA1 hash:
f36f5bae4eb74636233ea23fbaa6b97085140bfa
Link:
https://www.unpac.me/results/f8d49ce1-31d5-4f57-9043-0ba241bc1984/
SH256 hash:
1c4a0d0b0e63dcabea92ef3e4f7795b65a11631690c07bd28668296cd66e54a4
MD5 hash:
ace624055a8f7e0c7aa8a26fbaca7a89
SHA1 hash:
805b38248f4ee28b4f171e0af5879a39860f216e
Link:
https://www.unpac.me/results/f8d49ce1-31d5-4f57-9043-0ba241bc1984/
SH256 hash:
cbac88986195914dc2118df4b5fed3960fe49fd94c8f9dec31c2167c8cda528e
MD5 hash:
50c98df26149856bc96eb0e40b822482
SHA1 hash:
76f4886bc843329cb634c595638db95373e95abb
Link:
https://www.unpac.me/results/f8d49ce1-31d5-4f57-9043-0ba241bc1984/
SH256 hash:
5b78436c42232cb19353709ed24a3a093470cbc9c845d972a631d16568592434
MD5 hash:
3cf29e1d21e6a3bf086b39d1e51f50da
SHA1 hash:
6994a4a947ede1375d2bd882cd047726c33ec5ff
Link:
https://www.unpac.me/results/f8d49ce1-31d5-4f57-9043-0ba241bc1984/
SH256 hash:
fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d
MD5 hash:
ddf2aea0506931c450cf907bf002e9e0
SHA1 hash:
1eb6a7713b2956bad228a2d22b82b28578741c35
Detections:
INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Link:
https://www.unpac.me/results/f8d49ce1-31d5-4f57-9043-0ba241bc1984/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe6064e70c302549004b15d0f89c94776ab0e1ce0c8b6be604e52f4d7beac73d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/462161/

Comments