amadey

General

Target

4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
Size

4.8MB
Sample

230130-hhmjkshe56
MD5

8269702edacf7c4e3ac06a8b94039e53
SHA1

517837b65db61f5313a34bb2f7d78d4c0a571594
SHA256

4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
SHA512

0b8094710eb6e263e4c88916fece32849a528db30d8b74b5cae201c12c2fdf8556e207531d7c3b59c2248928dc523f24c68def28ab1279fab3ce762ac6301c7d
SSDEEP

98304:e0bkY51aSiMu1aRYM7Sz0VVhE5gJ+kmpvxQxkQ8v3os0:sY51a4w59zv5DkmpG2Q8Pj0

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

raccoon

Botnet

04f8fa0bf52b1b98a127f6deeac54f84

C2

http://94.131.3.70/

http://83.217.11.11/

http://83.217.11.13/

http://83.217.11.14/

http://45.15.156.222/

rc4.plain

Targets

- Target
  
  4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
- Size
  
  4.8MB
- MD5
  
  8269702edacf7c4e3ac06a8b94039e53
- SHA1
  
  517837b65db61f5313a34bb2f7d78d4c0a571594
- SHA256
  
  4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
- SHA512
  
  0b8094710eb6e263e4c88916fece32849a528db30d8b74b5cae201c12c2fdf8556e207531d7c3b59c2248928dc523f24c68def28ab1279fab3ce762ac6301c7d
- SSDEEP
  
  98304:e0bkY51aSiMu1aRYM7Sz0VVhE5gJ+kmpvxQxkQ8v3os0:sY51a4w59zv5DkmpG2Q8Pj0
Score

10^/10

amadey dcrat raccoon smokeloader 04f8fa0bf52b1b98a127f6deeac54f84 backdoor collection discovery infostealer rat spyware stealer trojan vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detects Smokeloader packer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1