amadey

General

Target

83baf716c50b90d398e1285d0c8c04c8.bin
Size

4.5MB
Sample

230131-krrk1ahd8w
MD5

83baf716c50b90d398e1285d0c8c04c8
SHA1

f3fcfe9bc9979ee7e3788507d10499d031df4c5c
SHA256

2c18cc487d7d1078460dce7e68108cb99eab6cb9ee1955ca4df3b2376f0a0e8b
SHA512

fcdfa7df6a6a454f95c34a6a25aef620d3caa055bf9332579f31ed63990534532c93918ac9ffca698912cb0eb123f31c58f46e78e912cfaa758f34f0c9e84213
SSDEEP

98304:XNuy0rzmaXuKBh0MiS+dOUOTvwuw8/VnZaSavvETlCC:duyGKZKBh0M6ObT19Z/u3

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

raccoon

Botnet

04f8fa0bf52b1b98a127f6deeac54f84

C2

http://94.131.3.70/

http://83.217.11.11/

http://83.217.11.13/

http://83.217.11.14/

http://45.15.156.222/

rc4.plain

Targets

- Target
  
  83baf716c50b90d398e1285d0c8c04c8.bin
- Size
  
  4.5MB
- MD5
  
  83baf716c50b90d398e1285d0c8c04c8
- SHA1
  
  f3fcfe9bc9979ee7e3788507d10499d031df4c5c
- SHA256
  
  2c18cc487d7d1078460dce7e68108cb99eab6cb9ee1955ca4df3b2376f0a0e8b
- SHA512
  
  fcdfa7df6a6a454f95c34a6a25aef620d3caa055bf9332579f31ed63990534532c93918ac9ffca698912cb0eb123f31c58f46e78e912cfaa758f34f0c9e84213
- SSDEEP
  
  98304:XNuy0rzmaXuKBh0MiS+dOUOTvwuw8/VnZaSavvETlCC:duyGKZKBh0M6ObT19Z/u3
Score

10^/10

amadey raccoon xmrig 04f8fa0bf52b1b98a127f6deeac54f84 evasion miner spyware stealer trojan upx vmprotect smokeloader backdoor
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Smokeloader packer
- Modifies security service
  evasion
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2