amadey

Sharing

Copy URL

Twitter E-mail

General

Target

0x000600000001ac38-53.dat
Size

30KB
Sample

231030-dc4tfsad9z
MD5

170290678f70bb5247ca3b9f40787263
SHA1

646ef2684fbf2937f0603ecdaf0cc304375b4dab
SHA256

08e3ae45b1c0f0137705a7f83f892cfb57b11a5fef1d2f4cfd003dc030c074cb
SHA512

e9a4ec0414603bb7ddc1b3564de1efbd7fdd7f78fc8787d7a192dc6c60c1563e3147d0a1c2b4dbea95b2975a4bfa5a9a2854e84358874e91084f81754305d3b6
SSDEEP

384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

pixelnew

194.49.94.11:80

Extracted

Family

raccoon

Botnet

6a6a005b9aa778f606280c5fa24ae595

http://195.123.218.98:80

http://31.192.23

Attributes

user_agent
SunShineMoonLight

xor.plain

Targets

- Target
  
  0x000600000001ac38-53.dat
- Size
  
  30KB
- MD5
  
  170290678f70bb5247ca3b9f40787263
- SHA1
  
  646ef2684fbf2937f0603ecdaf0cc304375b4dab
- SHA256
  
  08e3ae45b1c0f0137705a7f83f892cfb57b11a5fef1d2f4cfd003dc030c074cb
- SHA512
  
  e9a4ec0414603bb7ddc1b3564de1efbd7fdd7f78fc8787d7a192dc6c60c1563e3147d0a1c2b4dbea95b2975a4bfa5a9a2854e84358874e91084f81754305d3b6
- SSDEEP
  
  384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW
Score

10^/10

amadey glupteba povertystealer raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza pixelnew up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan dcrat
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Poverty Stealer Payload
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Poverty Stealer
  Poverty Stealer is a crypto and infostealer written in C++.
  stealer povertystealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

DcRat

Detect Poverty Stealer Payload

Detect ZGRat V1

Glupteba

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Poverty Stealer

Raccoon

Raccoon Stealer payload

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

ZGRat

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2