MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2
SHA3-384 hash: 4677068cd4dbb8022678cc630dc586d07a2a82bf1de91a8db6758ab3523ec94b09ad958b9b4a1b9283711e43f31d4d7c
SHA1 hash: d6cbe3198b1875a485773496b0e9c2b944b23133
MD5 hash: d7a4223e43b194c93b0663e8e319fbaa
humanhash: apart-fix-single-twelve
File name:d7a4223e43b194c93b0663e8e319fbaa
Download: download sample
Signature Amadey
Create hunting rule
File size:208'896 bytes
First seen:2021-10-01 20:21:43 UTC
Last seen:2021-10-01 21:00:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e83401c319ae7f89c70248c4558a8eb (1 x Amadey)
ssdeep 6144:OCjY1fwXY5myVidlqgkXP889Cp2zupl5z/NkRY6R:OCjQR5mywqjf8kCp2zupl5z/4
Threatray 634 similar samples on MalwareBazaar
TLSH T1271418613812C072D560657219F4BFF6C5ADAD15ABB049EF2B800F7BDA212F36931D3A
Reporter zbetcheckin
Tags:32 Amadey exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.45/g4MbvE/index.php https://threatfox.abuse.ch/ioc/229555/

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
615710_IDM-Crack-639-B.zip
Verdict:
Malicious activity
Analysis date:
2021-10-01 14:28:23 UTC
Tags:
trojan rat redline loader evasion stealer opendir amadey vidar
Link:
https://app.any.run/tasks/cc459601-e2b8-4012-b674-3c95ea63f1f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194053/
Detection(s):
SecuriteInfo.com.Variant.Zusy.398750.22372.1189.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7dd3216a-fec3-4339-af0a-e4b324b504d4
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862910
Signature
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495338 Sample: mWOzuZ7Yqk Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 8 mWOzuZ7Yqk.exe 4 2->8         started        12 sqtvvs.exe 2->12         started        14 sqtvvs.exe 2->14         started        16 sqtvvs.exe 2->16         started        process3 file4 33 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 8->33 dropped 51 Contains functionality to inject code into remote processes 8->51 18 sqtvvs.exe 14 8->18         started        signatures5 process6 dnsIp7 35 185.215.113.45, 49771, 49772, 49773 WHOLESALECONNECTIONSNL Portugal 18->35 45 Multi AV Scanner detection for dropped file 18->45 47 Machine Learning detection for dropped file 18->47 49 Uses schtasks.exe or at.exe to add and modify task schedules 18->49 22 cmd.exe 1 18->22         started        24 schtasks.exe 1 18->24         started        signatures8 process9 process10 26 reg.exe 1 22->26         started        29 conhost.exe 22->29         started        31 conhost.exe 24->31         started        signatures11 53 Creates an undocumented autostart registry key 26->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 18:23:00 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76lmaxgfhhvolhvehq37dgldojmjwm5kfor2tpofuht3ecy7owza._file
Verdict:
malicious
Similar samples:
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
Amadey
5abccf6b1cdcdb5eff6c00de089850a6f81b0813f2afc3b79d4d681defdabf95
Amadey
70cb4ed4ee85184589dc4b5bb72dd1313b133b428e6604bde1a7e1da7fb216ae
Amadey
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
Amadey
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
Amadey
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
Amadey
b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
Amadey
c5e41abe14036a3331b4bd9e3bb24be2424439a8030b8dfbe1a61a3da6482573
Amadey
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
Amadey
d642eb17671f269eddc3d1045845374a45eda0a7c3fd197d8b7f6a3355ba01d6
Amadey
+ 624 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@soul3ss discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211001-y5jzzadbe7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
95.216.43.58:40566
Unpacked files
SH256 hash:
ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2
MD5 hash:
d7a4223e43b194c93b0663e8e319fbaa
SHA1 hash:
d6cbe3198b1875a485773496b0e9c2b944b23133
Link:
https://www.unpac.me/results/78251baf-0dc1-4365-a705-ba2f9e5d56ba/
Malware family:
Mal/HTMLGen-A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff96c05cc539/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ff96c05cc539eae59ea43c37f1996372589b33aa2ba3a9bdc5a1e7b20b1f75b2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194053/
  
URLhaus
https://urlhaus.abuse.ch/url/1642880/

Comments


Avatar
zbet commented on 2021-10-01 20:21:45 UTC

url : hxxp://2.56.59.42/WW/file5.exe