amadey

General

Target

720045506762969c3b409a00bbcf282463368a102d624aa49d2dce714ff36e4b
Size

334KB
Sample

211024-fk77yseafj
MD5

b50a86a6f11641007bdb22eda87d56ae
SHA1

df083727f75752bdcd585c2ec09fcd4250c0a11b
SHA256

720045506762969c3b409a00bbcf282463368a102d624aa49d2dce714ff36e4b
SHA512

b2fe3dcc7ab547c974182b727e661c754741dd710bd97b6d4b5b0e7b8d16cd8259253053271b333375c7b4b590b5cbfba5c4ee36f13612510846aa8cf107953e

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32

Extracted

Family

amadey

Version

2.70

C2

185.215.113.45/g4MbvE/index.php

Targets

- Target
  
  720045506762969c3b409a00bbcf282463368a102d624aa49d2dce714ff36e4b
- Size
  
  334KB
- MD5
  
  b50a86a6f11641007bdb22eda87d56ae
- SHA1
  
  df083727f75752bdcd585c2ec09fcd4250c0a11b
- SHA256
  
  720045506762969c3b409a00bbcf282463368a102d624aa49d2dce714ff36e4b
- SHA512
  
  b2fe3dcc7ab547c974182b727e661c754741dd710bd97b6d4b5b0e7b8d16cd8259253053271b333375c7b4b590b5cbfba5c4ee36f13612510846aa8cf107953e
Score

10^/10

amadey redline smokeloader backdoor discovery evasion infostealer spyware stealer suricata themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE Amadey CnC Check-In
  suricata: ET MALWARE Amadey CnC Check-In
  suricata
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1