amadey

General

Target

NEAS.0ca6d71b6dd1cdf5be38f463e6cfa63a39ba33b48ceaf53678477ce06f12654a_JC.exe
Size

1.2MB
Sample

231007-mr3z5sah4t
MD5

7200369a96bb3565a81484533317f7bb
SHA1

782a7370ed10c232370d8e46eb67da1c61f86011
SHA256

0ca6d71b6dd1cdf5be38f463e6cfa63a39ba33b48ceaf53678477ce06f12654a
SHA512

4dc7b0add70b6f9b78363d51a1803fb5919bb4c4ef4bead163fa4529be504a5d0bd95ea0dbae33d633aadd5f7f59df40e3a2094359f3a36d36ed0139f6756de7
SSDEEP

24576:IywOU8g/2ceKkmAExdZM0bUFie1LL8O3SqV0TqVrL4p1rouil+7M3W9en/AaR:PwOU8g+WAcZMtFDv8ahH4p1w09en4

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6415420186:AAFl1R3-Kr5zbvKkeofTPjxvxd9leZKNs2M/sendMessage?chat_id=940609421

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  NEAS.0ca6d71b6dd1cdf5be38f463e6cfa63a39ba33b48ceaf53678477ce06f12654a_JC.exe
- Size
  
  1.2MB
- MD5
  
  7200369a96bb3565a81484533317f7bb
- SHA1
  
  782a7370ed10c232370d8e46eb67da1c61f86011
- SHA256
  
  0ca6d71b6dd1cdf5be38f463e6cfa63a39ba33b48ceaf53678477ce06f12654a
- SHA512
  
  4dc7b0add70b6f9b78363d51a1803fb5919bb4c4ef4bead163fa4529be504a5d0bd95ea0dbae33d633aadd5f7f59df40e3a2094359f3a36d36ed0139f6756de7
- SSDEEP
  
  24576:IywOU8g/2ceKkmAExdZM0bUFie1LL8O3SqV0TqVrL4p1rouil+7M3W9en/AaR:PwOU8g+WAcZMtFDv8ahH4p1w09en4
Score

10^/10

mystic evasion persistence stealer trojan amadey asyncrat redline stormkitty default frant infostealer rat spyware
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2