amadey

Sharing

Copy URL Twitter E-mail

General

Target

a1f2be27781f879e50755c2d7bdc2302.bin
Size

160KB
Sample

231011-zkb93aed78
MD5

3eb98eb5caacfff9b0a71eb9dd35d794
SHA1

cd13b5c114869a84d68458a4a0ed6bb7f86e7e40
SHA256

f8e0532003683fd4380554994f0af27b46952000009fc7ddadd18245a5fd3053
SHA512

e3895345b14af73b85d45a09be2192b4932ed62dc710ab9da08169fe4b9d11238a713600a14073179d939ae2bc2fabd5d503d791483bbe085bda418cfd735b37
SSDEEP

3072:YTDPaMSQn0SgQiWEdxGq2o20R2y+DVQ8jHCjhcumXuwe:KDPaMSQn0l33f2o2Q2yc2cruwe

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

amadey

Version

3.83

http://5.42.65.80/8bmeVwqx/index.php

Attributes

install_dir
207aa4515d
install_file
oneetx.exe
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Extracted

Family

redline

Botnet

pixelscloud

85.209.176.171:80

Extracted

Family

redline

Botnet

@ytlogsbot

185.216.70.238:37515

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Targets

- Target
  
  8177189da97c5f66bec3a641221be486263554dbb8eac2068e67b4069ef29dec.exe
- Size
  
  261KB
- MD5
  
  a1f2be27781f879e50755c2d7bdc2302
- SHA1
  
  bce029a472286e8e8a7a87aa43c7906af9f108d0
- SHA256
  
  8177189da97c5f66bec3a641221be486263554dbb8eac2068e67b4069ef29dec
- SHA512
  
  38536db9a802676fd2309711494473445e7d74d71ad9f651c74ec0e236f7b5dbaecc01014245ea7b49de0af9a8e284a4acbf36fc1e1982261d35f6558dad68f4
- SSDEEP
  
  6144:XEH0pm39jOBs+DfT8i1O9DAOcjQlEKkp8/:X/Q39y6jN8+EKu8/
Score

10^/10

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha kukish microsoft phishing
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1 behavioral2