amadey

General

Target

fbbab69dc5117deef453ffa6828c52153656bf6a2233079e777f7d11f2637993
Size

1.6MB
Sample

231101-rpprysac94
MD5

eccddb13320653c97c686c10722b20cb
SHA1

33d000df1d34c4b3776552cccae6e0a5b9626e7b
SHA256

fbbab69dc5117deef453ffa6828c52153656bf6a2233079e777f7d11f2637993
SHA512

47cc97344a36d61b59c0d20b69b4e0be5436cf461db0e2b1839422b17d0ed82068cd6bb166d6e652b2f7581829bace1aa9455658f6579d8fd91fb07951e371fb
SSDEEP

49152:Wwts5kBxNkkygRkj6AVdglXuGAhVq0jvASr:7qYxekvAVdgNBAj

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Targets

- Target
  
  fbbab69dc5117deef453ffa6828c52153656bf6a2233079e777f7d11f2637993
- Size
  
  1.6MB
- MD5
  
  eccddb13320653c97c686c10722b20cb
- SHA1
  
  33d000df1d34c4b3776552cccae6e0a5b9626e7b
- SHA256
  
  fbbab69dc5117deef453ffa6828c52153656bf6a2233079e777f7d11f2637993
- SHA512
  
  47cc97344a36d61b59c0d20b69b4e0be5436cf461db0e2b1839422b17d0ed82068cd6bb166d6e652b2f7581829bace1aa9455658f6579d8fd91fb07951e371fb
- SSDEEP
  
  49152:Wwts5kBxNkkygRkj6AVdglXuGAhVq0jvASr:7qYxekvAVdgNBAj
Score

10^/10

amadey dcrat redline smokeloader grome backdoor paypal evasion infostealer persistence phishing rat trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1