amadey

Sharing

General

Target

c20b34625df01f32a1d37676bfe43c84.exe
Size

386KB
Sample

230901-y54z5shh55
MD5

c20b34625df01f32a1d37676bfe43c84
SHA1

498b6c87b8d1a616760f3e4e550f4650d5b64dc0
SHA256

33e7df640d73c684871ff3828d1813f000c7a179e06a72f50a2ddefaac434bc8
SHA512

5d5c1330098247bdf94abcb4c5f2b0235fe67666efc1da7e0e05796563c000c521b41d70b67457514b88a680117ce8d3f7be45438bdc42e7fd0a6844fc9480d8
SSDEEP

6144:lVGhtukSJDYkJUXxzp9TNmrkl9BTgLUebH/i:lVGhtukS9ZOXVNmr8rTgLUeL/

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

rc4.i32

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

amadey

Version

3.87

79.137.192.18/9bDc8sQ/index.php

Attributes

install_dir
577f58beff
install_file
yiueea.exe
strings_key
a5085075a537f09dec81cc154ec0af4d

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

149.202.0.242:31728

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Extracted

Family

redline

Botnet

installs

162.55.189.218:26952

Attributes

auth_value
4bdfa4191a2826ff2af143a4691bab78

Targets

- Target
  
  c20b34625df01f32a1d37676bfe43c84.exe
- Size
  
  386KB
- MD5
  
  c20b34625df01f32a1d37676bfe43c84
- SHA1
  
  498b6c87b8d1a616760f3e4e550f4650d5b64dc0
- SHA256
  
  33e7df640d73c684871ff3828d1813f000c7a179e06a72f50a2ddefaac434bc8
- SHA512
  
  5d5c1330098247bdf94abcb4c5f2b0235fe67666efc1da7e0e05796563c000c521b41d70b67457514b88a680117ce8d3f7be45438bdc42e7fd0a6844fc9480d8
- SSDEEP
  
  6144:lVGhtukSJDYkJUXxzp9TNmrkl9BTgLUebH/i:lVGhtukS9ZOXVNmr8rTgLUeL/
Score

10^/10

amadey fabookie redline smokeloader installs logsdiller cloud (tg: @logsdillabot)lux3 summ backdoor discovery infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2