amadey

General

Target

a6b354a0f54fee9934cb0a5233ee708e.exe
Size

274KB
Sample

221220-m1nxkshd22
MD5

a6b354a0f54fee9934cb0a5233ee708e
SHA1

2c7091dcba19168be529c0a5873effb5b6b34d07
SHA256

fb8592116149c09a733fb220937d1b482f2f656112a7f90176b066fe3c75fa13
SHA512

6f9815460452e41bcb3dd24a9a0867f010f60130ae16479ec371f728364a2a2547a49605ef3121bf356974d350ccba7f0753d7a1b1c4106dfc305ab350fb076b
SSDEEP

6144:cmazLKDg7dSlhUxUAjrGPkjylT8ZE3y6/Ukl3Y9Z8Ca:cmEmDgBNxJj6EylTGSR3u0

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.63

C2

62.204.41.79/tT7774433/index.php

Extracted

Family

amadey

Version

3.60

C2

62.204.41.13/gjend7w/index.php

Extracted

Family

redline

Botnet

nokia

C2

31.41.244.198:4083

Attributes

auth_value
3b38e056d594ae0cf1368e6e1daa3a4e

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/wduwe19/

Extracted

Family

redline

Botnet

Pto100TraF333

C2

82.115.223.15:15486

Attributes

auth_value
d4c53e9109a4b130f5246d494cd30e4d

Extracted

Family

amadey

Version

3.50

C2

31.41.244.237/jg94cVd30f/index.php

Targets

- Target
  
  a6b354a0f54fee9934cb0a5233ee708e.exe
- Size
  
  274KB
- MD5
  
  a6b354a0f54fee9934cb0a5233ee708e
- SHA1
  
  2c7091dcba19168be529c0a5873effb5b6b34d07
- SHA256
  
  fb8592116149c09a733fb220937d1b482f2f656112a7f90176b066fe3c75fa13
- SHA512
  
  6f9815460452e41bcb3dd24a9a0867f010f60130ae16479ec371f728364a2a2547a49605ef3121bf356974d350ccba7f0753d7a1b1c4106dfc305ab350fb076b
- SSDEEP
  
  6144:cmazLKDg7dSlhUxUAjrGPkjylT8ZE3y6/Ukl3Y9Z8Ca:cmEmDgBNxJj6EylTGSR3u0
Score

10^/10

amadey redline socelars nokia collection discovery infostealer persistence spyware stealer trojan vmprotect pto100traf333
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2