Windows Analysis Report
NBhsazR1jn.exe

Overview

General Information

Sample name: NBhsazR1jn.exe
renamed because original name is a hash value
Original sample name: 5bfbf7207a01679ae899dc56be674afdb0d384efb17123c0b7598fb176c08bfc.exe
Analysis ID: 1466140
MD5: 9a5e25ebaa4cc2cd19b8461da0218120
SHA1: 95324fa5183097b528e2a0aa78e7e4a6dd7559d1
SHA256: 5bfbf7207a01679ae899dc56be674afdb0d384efb17123c0b7598fb176c08bfc
Tags: exe
Infos:

Detection

Amadey
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
PE file contains section with special chars
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Found malware configuration
Source: NBhsazR1jn.exe Malware Configuration Extractor: Amadey {"C2 url": "77.91.77.81/Kiru9gu/index.php", "Version": "4.30"}
Multi AV Scanner detection for submitted file
Source: NBhsazR1jn.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.2% probability
Machine Learning detection for sample
Source: NBhsazR1jn.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: NBhsazR1jn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 77.91.77.81
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

System Summary
barindex
PE file contains section with special chars
Source: NBhsazR1jn.exe Static PE information: section name:
Source: NBhsazR1jn.exe Static PE information: section name: .idata
Source: NBhsazR1jn.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_007860A2 0_2_007860A2
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_00769910 0_2_00769910
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_00764AD0 0_2_00764AD0
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_00764CD0 0_2_00764CD0
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_00780D23 0_2_00780D23
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_00781512 0_2_00781512
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_00783D01 0_2_00783D01
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: String function: 0077D852 appears 51 times
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: String function: 00777F00 appears 122 times
PE file does not import any functions
Source: NBhsazR1jn.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: NBhsazR1jn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal80.troj.spyw.winEXE@1/0@0/1
Source: NBhsazR1jn.exe ReversingLabs: Detection: 44%
Source: NBhsazR1jn.exe Static file information: File size 4968448 > 1048576
Source: NBhsazR1jn.exe Static PE information: Raw size of fonvwcns is bigger than: 0x100000 < 0x19f800
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: NBhsazR1jn.exe Static PE information: real checksum: 0x1dcdea should be: 0x4cab37
PE file contains sections with non-standard names
Source: NBhsazR1jn.exe Static PE information: section name:
Source: NBhsazR1jn.exe Static PE information: section name: .idata
Source: NBhsazR1jn.exe Static PE information: section name:
Source: NBhsazR1jn.exe Static PE information: section name: fonvwcns
Source: NBhsazR1jn.exe Static PE information: section name: ijaqkjlo
Source: NBhsazR1jn.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_0077D82C push ecx; ret 0_2_0077D83F
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_00771314 push ecx; retn 0000h 0_2_00771315
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_0077064F push ss; iretd 0_2_00770650
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\NBhsazR1jn.exe Code function: 0_2_0077DCA1 cpuid 0_2_0077DCA1

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: NBhsazR1jn.exe, type: SAMPLE
Source: Yara match File source: 0.0.NBhsazR1jn.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NBhsazR1jn.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1403943303.0000000000761000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2655506895.0000000000761000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466140 Sample: NBhsazR1jn.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 80 8 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Yara detected Amadeys stealer DLL 2->14 16 4 other signatures 2->16 6 NBhsazR1jn.exe 2->6         started        signatures3 process4
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true