amadey

General

Target

882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
Size

188KB
Sample

221110-c8g4wseba4
MD5

7d3c5eb8910223fd46a2544d485506bc
SHA1

4d13c0be1fcbdf5d674ca4bf4af64d1044bd6018
SHA256

882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
SHA512

9ca7db3b8fec1807105f95857f4afe2f4eb19ca2c9744a7096e5e636b46107c8c2691d70d0af5d6d5ff16dbb324fb12f0a0ae68d3c143108f00a0cef1433bd12
SSDEEP

3072:8lXOsjCj5iLQ1SOL1JRxLwz5UMiq5LnEyPjK9Chk:kFRLQ1SOXaiqhnEyP29y

Score

10^/10

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

VQDbQF

C2

http://1timirwin.online/

Mutex

BN[c2b186b276dafd778d6e70a89d9083b7]

Attributes

antivm
true
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
true
usb_spread
false

Targets

- Target
  
  882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
- Size
  
  188KB
- MD5
  
  7d3c5eb8910223fd46a2544d485506bc
- SHA1
  
  4d13c0be1fcbdf5d674ca4bf4af64d1044bd6018
- SHA256
  
  882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
- SHA512
  
  9ca7db3b8fec1807105f95857f4afe2f4eb19ca2c9744a7096e5e636b46107c8c2691d70d0af5d6d5ff16dbb324fb12f0a0ae68d3c143108f00a0cef1433bd12
- SSDEEP
  
  3072:8lXOsjCj5iLQ1SOL1JRxLwz5UMiq5LnEyPjK9Chk:kFRLQ1SOXaiqhnEyP29y
Score

10^/10

amadey blacknet smokeloader vqdbqf backdoor discovery evasion pyinstaller spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- BlackNET
  BlackNET is an open source remote access tool written in VB.NET.
  trojan blacknet
- BlackNET payload
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detects Smokeloader packer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1