amadey

Target

a.exe
Size

5KB
Sample

230624-2s7gaade5y
MD5

800a6337b0b38274efe64875d15f70c5
SHA1

6b0858c5f9a2e2b5980aac05749e3d6664a60870
SHA256

76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
SHA512

bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
SSDEEP

48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://sungeomatics.com/css/colors/debug2.ps1

Extracted

Credentials

Protocol: smtp
Host:
smtpm.csloxinfo.com
Port:
587
Username:
[email protected]
Password:
Smr20007

Extracted

Family

amadey

Version

3.84

109.206.241.33/9bDc8sQ/index.php

Extracted

Family

amadey

Version

3.83

45.9.74.80/0bjdn2Z/index.php

Extracted

Family

formbook

Version

4.1

Campaign

k2l0

Decoy

thaomocquysonla.click

everblue-scr.com

yifangwuliu.top

zmrwe.buzz

xiaodong6.xyz

apartmentsforrent-gb-tok.bond

mtproductions.xyz

yattaya.com

thetastyfoodguide.com

gulfcoastclubfishing.com

capitalrepros.com

sonetpl.com

amenallelulia.com

shafanavn.com

1ywab.com

getflooringservices.today

quanhuipeng.com

tinytribecollective.com

mollyandpat.com

280175053.xyz

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

formbook

Version

4.1

Campaign

sy18

Decoy

mgn4.com

gemellebeauty.com

emj2x.top

melissamcduffee.com

holangman.top

cqmksw.com

pinax.info

u2sr03.shop

weighing.xyz

jetcasinosite-official6.top

xyz.ngo

suandoc.xyz

aboutwean.site

stockprob.com

bawdydesignz.com

buddybooster.net

scuderiaexotics.com

design-de-interiores.wiki

shipsmartstore.com

patricklloydrunning.com

Extracted

Family

smokeloader

Version

2022

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  a.exe
- Size
  
  5KB
- MD5
  
  800a6337b0b38274efe64875d15f70c5
- SHA1
  
  6b0858c5f9a2e2b5980aac05749e3d6664a60870
- SHA256
  
  76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
- SHA512
  
  bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
- SSDEEP
  
  48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt
Score

10^/10

amadey asyncrat fabookie formbook gcleaner lgoogloader quasar raccoon redline sectoprat smokeloader stormkitty xmrig pub1 pub5 up3 k2l0 sy18 backdoor downloader evasion infostealer loader miner pyinstaller rat spyware stealer themida trojan upx vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Fabookie payload
- Detects LgoogLoader payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- LgoogLoader
  A downloader capable of dropping and executing other malware families.
  downloader lgoogloader
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Formbook payload
  rat
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1