General
-
Target
ab1d9ac86a641e28866a4f1506354a0556eb76ea889f8d161d2931694fb467e8
-
Size
3.9MB
-
Sample
231014-am8nlshc94
-
MD5
a9e8149936ef872d5aa942ab450f2755
-
SHA1
e6a9c61e2390dbb0d219196d089ea28667a180d6
-
SHA256
ab1d9ac86a641e28866a4f1506354a0556eb76ea889f8d161d2931694fb467e8
-
SHA512
7d56003a346e8bf452793080a7b043e35a4db09dfe0f5dd7582fcea5bbcf5e0cd5957285d2df96cd4c1b1c771994b47fff2af5350cadecf3b3a78cefec24d9a1
-
SSDEEP
49152:Wg7EDs0p1XawH6a3vw5es/5nVFT/FpAbUkbZiceaY9Gp/Co0+yWpnljzWi2rmjEg:Wg7E4wahH/TmbUafYMBhpljzWDrmAy
Malware Config
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
crazy
77.91.124.82:19071
-
auth_value
ba4a10868a3fced942a9614406c7cd66
Extracted
redline
kukish
77.91.124.55:19071
Extracted
amadey
3.83
http://5.42.65.80/8bmeVwqx/index.php
-
install_dir
207aa4515d
-
install_file
oneetx.exe
-
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4
Extracted
redline
pixelscloud
85.209.176.171:80
Extracted
redline
breha
77.91.124.55:19071
Targets
-
-
Target
ab1d9ac86a641e28866a4f1506354a0556eb76ea889f8d161d2931694fb467e8
-
Size
3.9MB
-
MD5
a9e8149936ef872d5aa942ab450f2755
-
SHA1
e6a9c61e2390dbb0d219196d089ea28667a180d6
-
SHA256
ab1d9ac86a641e28866a4f1506354a0556eb76ea889f8d161d2931694fb467e8
-
SHA512
7d56003a346e8bf452793080a7b043e35a4db09dfe0f5dd7582fcea5bbcf5e0cd5957285d2df96cd4c1b1c771994b47fff2af5350cadecf3b3a78cefec24d9a1
-
SSDEEP
49152:Wg7EDs0p1XawH6a3vw5es/5nVFT/FpAbUkbZiceaY9Gp/Co0+yWpnljzWi2rmjEg:Wg7E4wahH/TmbUafYMBhpljzWDrmAy
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1