amadey

Target

a.exe
Size

5KB
Sample

230624-1v4mqscd77
MD5

800a6337b0b38274efe64875d15f70c5
SHA1

6b0858c5f9a2e2b5980aac05749e3d6664a60870
SHA256

76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
SHA512

bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
SSDEEP

48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://sungeomatics.com/css/colors/debug2.ps1

Extracted

Credentials

Protocol: smtp
Host:
smtpm.csloxinfo.com
Port:
587
Username:
[email protected]
Password:
Smr20007

Extracted

Family

amadey

Version

3.84

109.206.241.33/9bDc8sQ/index.php

Extracted

Family

amadey

Version

3.83

45.9.74.80/0bjdn2Z/index.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

formbook

Version

4.1

Campaign

k2l0

Decoy

thaomocquysonla.click

everblue-scr.com

yifangwuliu.top

zmrwe.buzz

xiaodong6.xyz

apartmentsforrent-gb-tok.bond

mtproductions.xyz

yattaya.com

thetastyfoodguide.com

gulfcoastclubfishing.com

capitalrepros.com

sonetpl.com

amenallelulia.com

shafanavn.com

1ywab.com

getflooringservices.today

quanhuipeng.com

tinytribecollective.com

mollyandpat.com

280175053.xyz

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

formbook

Version

4.1

Campaign

sy18

Decoy

mgn4.com

gemellebeauty.com

emj2x.top

melissamcduffee.com

holangman.top

cqmksw.com

pinax.info

u2sr03.shop

weighing.xyz

jetcasinosite-official6.top

xyz.ngo

suandoc.xyz

aboutwean.site

stockprob.com

bawdydesignz.com

buddybooster.net

scuderiaexotics.com

design-de-interiores.wiki

shipsmartstore.com

patricklloydrunning.com

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

Extracted

Family

smokeloader

Botnet

up3

Targets

- Target
  
  a.exe
- Size
  
  5KB
- MD5
  
  800a6337b0b38274efe64875d15f70c5
- SHA1
  
  6b0858c5f9a2e2b5980aac05749e3d6664a60870
- SHA256
  
  76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
- SHA512
  
  bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
- SSDEEP
  
  48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt
Score

10^/10

amadey fabookie formbook gcleaner lgoogloader smokeloader pub1 pub5 up3 k2l0 sy18 backdoor downloader evasion loader persistence pyinstaller rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Fabookie payload
- Detects LgoogLoader payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- LgoogLoader
  A downloader capable of dropping and executing other malware families.
  downloader lgoogloader
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Formbook payload
  rat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1