amadey

Sharing

Copy URL

Twitter E-mail

General

Target

0x0007000000022e38-52.dat
Size

30KB
Sample

231030-ape43sbg42
MD5

43afb655d1d3293da6b8cc77a75da887
SHA1

87c0bffd01806b7ebbe993e0845b675bdd5c24c1
SHA256

e6028f3c79a75d274f4c541dae8a9de96002b2f5360405189cc53e560f91601c
SHA512

45e454c7d55f2416a48b74626778dd033a5cd894523bae4ad1d90f8a4136787e9fb257c87dd331d3733e5e0f6e6eb473221159062200a0d07ba71971683719c3
SSDEEP

384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

pixelnew

194.49.94.11:80

Extracted

Family

raccoon

Botnet

6a6a005b9aa778f606280c5fa24ae595

http://195.123.218.98:80

http://31.192.23

Attributes

user_agent
SunShineMoonLight

xor.plain

Targets

- Target
  
  0x0007000000022e38-52.dat
- Size
  
  30KB
- MD5
  
  43afb655d1d3293da6b8cc77a75da887
- SHA1
  
  87c0bffd01806b7ebbe993e0845b675bdd5c24c1
- SHA256
  
  e6028f3c79a75d274f4c541dae8a9de96002b2f5360405189cc53e560f91601c
- SHA512
  
  45e454c7d55f2416a48b74626778dd033a5cd894523bae4ad1d90f8a4136787e9fb257c87dd331d3733e5e0f6e6eb473221159062200a0d07ba71971683719c3
- SSDEEP
  
  384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW
Score

10^/10

amadey glupteba povertystealer raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza pixelnew up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan dcrat
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Poverty Stealer Payload
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Poverty Stealer
  Poverty Stealer is a crypto and infostealer written in C++.
  stealer povertystealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

DcRat

Detect Poverty Stealer Payload

Detect ZGRat V1

Glupteba

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Poverty Stealer

Raccoon

Raccoon Stealer payload

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

ZGRat

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2