amadey

General

Target

ada4c1e60724a0764ccc571881f140cf11f23122abe2517b3d441bdfba912e42
Size

350KB
Sample

230412-g93t7sca6y
MD5

3e48cdd75bac6e63481537c633d9deef
SHA1

b97c36dd1ebcc18d8a79e842dde9bde143941d72
SHA256

ada4c1e60724a0764ccc571881f140cf11f23122abe2517b3d441bdfba912e42
SHA512

eb8d2740b9b823bdc33aad242eb18111af3a784b01dff78ca8c636eee412553571a4fc6385f8bfa6280c6d55951ef641fe539ed76d8499448103ff2d0918a86e
SSDEEP

6144:yWgUmkDUSeKN8pR4vtXitTppppVvrv0XyozE:yWSkDDeKN8p7TppppVvD0y

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Extracted

Family

djvu

C2

http://zexeq.com/lancer/get.php

Attributes

extension
.boty
offline_id
A5whrmSMRYQPLIwxS6XFix1PGn8lJ9uXUaipSat1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-eneUZ5ccES Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0688UIuhd

rsa_pubkey.plain

Extracted

Family

amadey

Version

3.70

C2

77.73.134.27/n9kdjc3xSf/index.php

Extracted

Family

redline

Botnet

ROBER

C2

138.201.195.134:15564

Attributes

auth_value
de311ede2b43457816afc0d9989c5255

Extracted

Family

smokeloader

Botnet

pub1

Targets

- Target
  
  ada4c1e60724a0764ccc571881f140cf11f23122abe2517b3d441bdfba912e42
- Size
  
  350KB
- MD5
  
  3e48cdd75bac6e63481537c633d9deef
- SHA1
  
  b97c36dd1ebcc18d8a79e842dde9bde143941d72
- SHA256
  
  ada4c1e60724a0764ccc571881f140cf11f23122abe2517b3d441bdfba912e42
- SHA512
  
  eb8d2740b9b823bdc33aad242eb18111af3a784b01dff78ca8c636eee412553571a4fc6385f8bfa6280c6d55951ef641fe539ed76d8499448103ff2d0918a86e
- SSDEEP
  
  6144:yWgUmkDUSeKN8pR4vtXitTppppVvrv0XyozE:yWSkDDeKN8p7TppppVvD0y
Score

10^/10

amadey djvu redline smokeloader pub1 rober backdoor discovery evasion infostealer persistence ransomware trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Deletes itself
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1