amadey

Sharing

General

Target

0x0008000000022e42-67.dat
Size

221KB
Sample

231030-zwlymshb67
MD5

5174bd57aa66a91fcdfb9d24edbf91b1
SHA1

1be1d7363be0143e41f68c4aa9219ebd7283f92c
SHA256

e78328913eb6e865be32e3377f5292f665c1a9af986cae800261449cec698121
SHA512

70bdec84d292737f618b0f6c8c7fc98de5ab0be1483165c43465a015194b290719c8072692fd3bcebd3ef8f4f6154ca5d58e7cb6c3a45fb2562b30198759bc10
SSDEEP

6144:DEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:DE32xpoaxBFg1ugMeS

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  0x0008000000022e42-67.dat
- Size
  
  221KB
- MD5
  
  5174bd57aa66a91fcdfb9d24edbf91b1
- SHA1
  
  1be1d7363be0143e41f68c4aa9219ebd7283f92c
- SHA256
  
  e78328913eb6e865be32e3377f5292f665c1a9af986cae800261449cec698121
- SHA512
  
  70bdec84d292737f618b0f6c8c7fc98de5ab0be1483165c43465a015194b290719c8072692fd3bcebd3ef8f4f6154ca5d58e7cb6c3a45fb2562b30198759bc10
- SSDEEP
  
  6144:DEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:DE32xpoaxBFg1ugMeS
Score

10^/10

amadey trojan povertystealer redline smokeloader @ytlogsbot grome kinza up3 backdoor google infostealer persistence phishing stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Poverty Stealer Payload
- Detected google phishing page
  phishing google
- Poverty Stealer
  Poverty Stealer is a crypto and infostealer written in C++.
  stealer povertystealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Poverty Stealer Payload

Detected google phishing page

Poverty Stealer

RedLine

RedLine payload

SmokeLoader

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2