amadey | 316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
Size

186KB
Sample

221123-mhxrrshd5x
MD5

b4b3c331cbf6fa5ad8cc37e1718a05e3
SHA1

812ccd9ebd7fa07689992b6bf062d10acd77222e
SHA256

316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
SHA512

11bb4fb30dec201cb0353e095dde306fb151e9fab8e6f3ca60f94ca7d8ebff2d96d0cc7bb017c95cf7d640ae9fbd71d67a4f9eb01895eebefd9911421aee97ab
SSDEEP

3072:rSBJnYovRlQ1LxSwxWW8lD65qUSS7Kwb7W/9sUI2ASscAsAm:MnJsLxSwx98R/QKwb79U1AqA

Score

10^/10

amadey redline smokeloader kript backdoor infostealer spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc.exe

Resource

win10-20220812-en

amadey redline smokeloader kript backdoor infostealer spyware trojan

windows10-1703-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Extracted

Family

redline

C2

185.215.113.83:60722

Attributes

auth_value
674feb1d15af397f9322eb62587035b3

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Targets

- Target
  
  316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
- Size
  
  186KB
- MD5
  
  b4b3c331cbf6fa5ad8cc37e1718a05e3
- SHA1
  
  812ccd9ebd7fa07689992b6bf062d10acd77222e
- SHA256
  
  316aac76c3849cea72da7c8e1e679673fc81a1a20582ac4e994452fc021603cc
- SHA512
  
  11bb4fb30dec201cb0353e095dde306fb151e9fab8e6f3ca60f94ca7d8ebff2d96d0cc7bb017c95cf7d640ae9fbd71d67a4f9eb01895eebefd9911421aee97ab
- SSDEEP
  
  3072:rSBJnYovRlQ1LxSwxWW8lD65qUSS7Kwb7W/9sUI2ASscAsAm:MnJsLxSwx98R/QKwb79U1AqA
Score

10^/10

amadey redline smokeloader kript backdoor infostealer spyware trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

amadeyredlinesmokeloaderkriptbackdoorinfostealerspywaretrojan

© 2018-2024

Terms | Privacy