amadey

Resubmissions

02-12-2021 21:17

211202-z5jvmsfah4 10

02-12-2021 20:08

02-12-2021 07:20

02-12-2021 07:16

28-11-2021 10:30

28-11-2021 10:25

Sharing

Copy URL

Twitter E-mail

General

Target

e94ed1fcc1cf44012a075bf53b076f75ab6565ac76fb18e0b32681cfc986f984
Size

312KB
Sample

211202-h6ajxsffe5
MD5

8c7681f265518e57648779adcfd5ec97
SHA1

581beb026b505ce66dea78ff17140a6e4c353acc
SHA256

e94ed1fcc1cf44012a075bf53b076f75ab6565ac76fb18e0b32681cfc986f984
SHA512

65cf17a4b4b3e8b737aaf956accddeeb2ccb8ac73108ab486411944232d0b2cf4c66221aabac14124127daf1d86f5eaee54b73ee7bff95e348057cf0db0c472c

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Extracted

Family

redline

92.255.76.197:38637

Extracted

Family

icedid

Campaign

3494996616

zanokiryq.com

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

a4435492072e1725ecfc7edeb4f4a401e49cf7f4

Attributes

url4cnc
http://91.219.236.207/zalmanssx
http://185.225.19.18/zalmanssx
http://91.219.237.227/zalmanssx
https://t.me/zalmanssx

rc4.plain

Extracted

Family

icedid

Campaign

3494996616

Extracted

Family

redline

Botnet

1.12mix222

104.238.221.208:21732

Extracted

Family

redline

Botnet

test01.12

185.215.113.15:21508

Extracted

Family

amadey

Version

2.85

185.215.113.35/d2VxjasuwS/index.php

Targets

- Target
  
  e94ed1fcc1cf44012a075bf53b076f75ab6565ac76fb18e0b32681cfc986f984
- Size
  
  312KB
- MD5
  
  8c7681f265518e57648779adcfd5ec97
- SHA1
  
  581beb026b505ce66dea78ff17140a6e4c353acc
- SHA256
  
  e94ed1fcc1cf44012a075bf53b076f75ab6565ac76fb18e0b32681cfc986f984
- SHA512
  
  65cf17a4b4b3e8b737aaf956accddeeb2ccb8ac73108ab486411944232d0b2cf4c66221aabac14124127daf1d86f5eaee54b73ee7bff95e348057cf0db0c472c
Score

10^/10

smokeloader backdoor trojan arkei cryptbot icedid redline default 3494996616 banker collection discovery evasion infostealer spyware stealer themida raccoon a4435492072e1725ecfc7edeb4f4a401e49cf7f4 amadey 1.12mix222 test01.12 persistence
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Arkei
  Arkei is an infostealer written in C++.
  stealer arkei
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Registers COM server for autorun
  persistence
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- evasion
  evasion.
  evasion
- Arkei Stealer Payload
  stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Arkei

CryptBot

IcedID, BokBot

Raccoon

RedLine

RedLine Payload

Registers COM server for autorun

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

evasion

Arkei Stealer Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Themida packer

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7