amadey

General

Target

96dc6972d086e954a8b26414d984bdac.bin
Size

1.3MB
Sample

230913-b81essbe57
MD5

aaa1171e2289fe83461172c9c05a203d
SHA1

98fc0830d337afa231f540e4412ce6ad39f0030f
SHA256

104e8d671b5abf155fc4d0c2f2a2bdabcc15eec3c9c2c77970a0032a2810f72c
SHA512

ea3c900b655244643e64a17e1d99318df3cd01e2996b2f95ca46eb72e993f893913d8e34ab6d18dba8bd7b00bf8bfd51b613685b12882820bd32d9de294b8a17
SSDEEP

24576:f6pAV2/HTBBhtv++FkxuBD7EwwMe9CdhG+7c9GCa6JqLdP/rCcWS:N2/zBBDRrD7RNG+hSC60VjCq

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Extracted

Family

redline

Botnet

tuco

C2

77.91.124.82:19071

Attributes

auth_value
dcfeb759bae9232de006fc3a4b34ac53

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.83

C2

http://5.42.65.80/8bmeVwqx/index.php

Attributes

install_dir
207aa4515d
install_file
oneetx.exe
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Targets

- Target
  
  a4f8591f4d334bd38cefd3d69a596a495725aed03f7c434f5ed5b8bae51b4094.exe
- Size
  
  1.4MB
- MD5
  
  96dc6972d086e954a8b26414d984bdac
- SHA1
  
  3fdf3210c7dae4635cf13b2eb8dbdef5018c1f9c
- SHA256
  
  a4f8591f4d334bd38cefd3d69a596a495725aed03f7c434f5ed5b8bae51b4094
- SHA512
  
  a59ab6d45f64b376e687cbba1e24c83684df7ba276f50e82add24b8a910e4a4416f43a37b8eed1728451a44c52806c1169c17b08241719199d00ad65e978bf81
- SSDEEP
  
  24576:GeSiHCiSBBl2VjsBKMEa2oFWkc13A/qPQxQbuLHNpdOGbjuF9H:GiOBvIsBKvhKWk0g9xQbuD9OGnuF9
Score

10^/10

amadey healer redline smokeloader tuco backdoor discovery dropper evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2