amadey

General

Target

42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885
Size

167KB
Sample

221125-16kc8sag56
MD5

6a94a4e3527df402262f107808151912
SHA1

b15f74212b1deb0467449d71dfd861f5f451b18d
SHA256

42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885
SHA512

ed596ab03158c78dc27a6736f7ae6403c8b70aed20f73073b6da4d8d17ee533804a0f693ce66df1edef0fa676575ee795f565fc434d15a384ab0a63cbe6b9d47
SSDEEP

3072:TQ9aPFUzFUulC8S55iYBzvNnUCv9zvT+dHSjOc2m2t:Ka9uemCdiYBzFnUCv9z7Fjox

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.65/o7VsjdSa2f/index.php

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes

auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Targets

- Target
  
  42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885
- Size
  
  167KB
- MD5
  
  6a94a4e3527df402262f107808151912
- SHA1
  
  b15f74212b1deb0467449d71dfd861f5f451b18d
- SHA256
  
  42aed74af72a642b952053e20504009df2872fddd1de55218aa9e89b3426b885
- SHA512
  
  ed596ab03158c78dc27a6736f7ae6403c8b70aed20f73073b6da4d8d17ee533804a0f693ce66df1edef0fa676575ee795f565fc434d15a384ab0a63cbe6b9d47
- SSDEEP
  
  3072:TQ9aPFUzFUulC8S55iYBzvNnUCv9zvT+dHSjOc2m2t:Ka9uemCdiYBzFnUCv9z7Fjox
Score

10^/10

amadey redline smokeloader kript backdoor collection infostealer spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Detects Smokeloader packer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1