amadey | bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc
Size

186KB
Sample

221124-sj6zqacc34
MD5

f57f3df41e4e1123477d9e31a319e463
SHA1

bea4a79f6661843f75f41ea9d7ecd5afdfd9fb09
SHA256

bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc
SHA512

9d12426c7fe90ce67ad5f0c3e6fa3ca64ce91484550398e6b11ca6b22aa7d88ee1f678ae3cc120ae2685d23636730c77df74af48334b6e87703999650b38dfe1
SSDEEP

3072:VsWWyp/VkRjnY7YLvDNjrQuP5UZ+BXlzUW9Bi9SKrAtMUrH:NW+VxYLLNj0dZ+Bh9BoSKct7

Score

10^/10

amadey redline smokeloader kript backdoor infostealer spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc.exe

Resource

win10-20220901-en

amadey redline smokeloader kript backdoor infostealer spyware trojan

windows10-1703-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Targets

- Target
  
  bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc
- Size
  
  186KB
- MD5
  
  f57f3df41e4e1123477d9e31a319e463
- SHA1
  
  bea4a79f6661843f75f41ea9d7ecd5afdfd9fb09
- SHA256
  
  bee21ffa9386ae7feef30f9e990983b7dfdc116edf263fd9243ae7ebdfb0e6bc
- SHA512
  
  9d12426c7fe90ce67ad5f0c3e6fa3ca64ce91484550398e6b11ca6b22aa7d88ee1f678ae3cc120ae2685d23636730c77df74af48334b6e87703999650b38dfe1
- SSDEEP
  
  3072:VsWWyp/VkRjnY7YLvDNjrQuP5UZ+BXlzUW9Bi9SKrAtMUrH:NW+VxYLLNj0dZ+Bh9BoSKct7
Score

10^/10

amadey redline smokeloader kript backdoor infostealer spyware trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeyredlinesmokeloaderkriptbackdoorinfostealerspywaretrojan

© 2018-2024

Terms | Privacy