amadey | 5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69 | Triage

Sharing

General

Target

5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
Size

242KB
Sample

211208-ajqcvsggc8
MD5

09b5b0a7b9cc8ee3c0bef59dc3efeb12
SHA1

f0a81ebac233bda1421f490e4bfb8838cf7dbb4f
SHA256

5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
SHA512

d5e8444f46da02db5aafabc86e19cb6bd2a313a501b4704d2ac10831d9359b2f638612810722dc67a0d3eb668f8907b46fa852042ea27e096d83dbfaabe09df9

Score

10^/10

amadey bazarloader raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor dropper infostealer loader stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

rc4.plain

Extracted

Family

amadey

Version

2.86

C2

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fd4f23250443a724a3d1548e6ab07c481dfc2814

Attributes

url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1

rc4.plain

rc4.plain

Targets

- Target
  
  5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
- Size
  
  242KB
- MD5
  
  09b5b0a7b9cc8ee3c0bef59dc3efeb12
- SHA1
  
  f0a81ebac233bda1421f490e4bfb8838cf7dbb4f
- SHA256
  
  5ad77e2c0157b1d07fbee143775c4e0ab30a0a8982e2ded212403beaad3f4f69
- SHA512
  
  d5e8444f46da02db5aafabc86e19cb6bd2a313a501b4704d2ac10831d9359b2f638612810722dc67a0d3eb668f8907b46fa852042ea27e096d83dbfaabe09df9
Score

10^/10

amadey bazarloader raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor dropper infostealer loader stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Bazar/Team9 Loader payload
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeybazarloaderraccoonredlinesmokeloaderf797145799b7b1b77b35d81de942eee0908da519fd4f23250443a724a3d1548e6ab07c481dfc2814backdoordropperinfostealerloaderstealertrojan