amadey

Sharing

General

Target

New Compressed (zipped) Folder.zip
Size

738B
Sample

230930-t1sn4afc65
MD5

88301dec94819a0ad71fff9adcfae9f1
SHA1

a2e88e57e5325c9825b60a18acbd4d39fa70559a
SHA256

67a4b500b6afd7328ff998bba24e4289c9cb94330f2999e652def70b3cc1b4ec
SHA512

95399a665f9620125486fd3c7d5331b8a094ff857c79f39788e48e67cf8f3b87594652ac41b07304337c69e03310cde5b4b737b4d3f6d5825668eb1ee7c4102a

Score

10^/10

Malware Config

Extracted

Family

aurora

212.87.204.93:8081

Extracted

Family

formbook

Version

4.1

Campaign

ge06

Decoy

azaharparis.com

nationaleventsafety.com

covesstudy.com

quinshon4.com

moderco.net

trailblazerbaby.com

time-edu.net

azeemtourism.com

anakmedan3.click

bookinternationaltours.com

ulksht.top

newswirex.com

dingg.net

waveoflife.pro

miamirealestatecommercial.com

rtplive77.xyz

bowllywood.com

automation-tools-84162.bond

booptee.com

ebx.lat

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Extracted

Family

amadey

Version

3.89

http://193.42.32.29/9bDc8sQ/index.php

Attributes

install_dir
1ff8bec27e
install_file
nhdues.exe
strings_key
2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

YT LOGS CLOUD

176.123.4.46:33783

Attributes

auth_value
f423cd8452a39820862c1ea501db4ccf

Targets

- Target
  
  New Compressed (zipped) Folder.zip
- Size
  
  738B
- MD5
  
  88301dec94819a0ad71fff9adcfae9f1
- SHA1
  
  a2e88e57e5325c9825b60a18acbd4d39fa70559a
- SHA256
  
  67a4b500b6afd7328ff998bba24e4289c9cb94330f2999e652def70b3cc1b4ec
- SHA512
  
  95399a665f9620125486fd3c7d5331b8a094ff857c79f39788e48e67cf8f3b87594652ac41b07304337c69e03310cde5b4b737b4d3f6d5825668eb1ee7c4102a
Score

10^/10

amadey aurora formbook redline smokeloader yt logs cloud ge06 sy22 backdoor evasion infostealer rat spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Formbook payload
  rat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1