amadey

Sharing

General

Target

32555bd88434d1433322d501fe71a48dd77c43d4c3c24c564a6f03dafb2a1383
Size

145KB
Sample

231011-lwjavsfa8z
MD5

c692db2012aec4458a42afc3c227ee68
SHA1

33503fd0cb68bb045f90729e7b2c3cdaff684947
SHA256

61a1ddce233c93abf0fde0bd431e02a1a408e9f66ccbd55e46a64c1ab8b16bb4
SHA512

6799fa956a88870e841209a242987362b6143bc3ddd2c082bcf3bf845ce7993c6a44f6acd6c27add3b7e50afde03c1ecc5f14d40225fc4aace5454ec00b0b5ba
SSDEEP

3072:3pyEnyE9tJ1BnoZqB+Vd6ZztX4vb0ZmIUzmhQi4WoRZv:3/Z9tHho0B+Vd6BdvEIs4+Tv

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

pixelscloud

85.209.176.171:80

Extracted

Family

redline

Botnet

@ytlogsbot

185.216.70.238:37515

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Targets

- Target
  
  32555bd88434d1433322d501fe71a48dd77c43d4c3c24c564a6f03dafb2a1383
- Size
  
  240KB
- MD5
  
  624dcaa1ba37fa33c0600f8167272e12
- SHA1
  
  bc899a8028e1182d93fea1f243a960a21360ca8b
- SHA256
  
  32555bd88434d1433322d501fe71a48dd77c43d4c3c24c564a6f03dafb2a1383
- SHA512
  
  8b3267ab03370d5686fc3a36a9e272a5a42b1ebb07c5e48dc74129b5eeddb9e3189ce2a9ddb3f2a6bbf977380db43aabfc011a2b04fd4d6f0fa9d3a51c115681
- SSDEEP
  
  6144:VtPvIPv30odEtjuC+9VbzAOZVf0/cCVifQsaJF4S:Vm330sfzjVc/cCVikF4S
Score

10^/10

amadey glupteba healer redline sectoprat smokeloader @ytlogsbot pixelscloud up3 backdoor dropper evasion infostealer loader persistence rat trojan breha kukish
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2