amadey | 58c6a8fd5635e1798583b5f7a5f15b6965bd3e90d8da956d8456fad179827a68 | Triage

Sharing

General

Target

934a6769fe2fde5b39e294f9f81845b9eb7421279d8a9e26c611bf4a3a28545c
Size

1.5MB
Sample

231101-wref8abd71
MD5

d3902d30d07685ce183605012e2d27be
SHA1

a1a12f26fc45e4e48b38fd92d8e45ee9569ae16c
SHA256

58c6a8fd5635e1798583b5f7a5f15b6965bd3e90d8da956d8456fad179827a68
SHA512

2f17aa07838fa314edbc363c5ec9d802496e77683adf3440fdeeb831fab8c5608a084b19e60f5a0fa158e230bc75ca55d216b08ad948df353e33062172f75ffd
SSDEEP

49152:90zvHiYfS4zztjaWYSN52hs7UQs1V5ojzPFfHjVu:evfS4zlBxP4QsRojz9/Ru

Score

10^/10

amadey dcrat redline smokeloader grome backdoor evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Targets

- Target
  
  934a6769fe2fde5b39e294f9f81845b9eb7421279d8a9e26c611bf4a3a28545c
- Size
  
  1.5MB
- MD5
  
  f6a85e451b93154c16a1b992c18626ef
- SHA1
  
  adef6ef37ea62e919f2c70e2aefee0e9b402fefd
- SHA256
  
  934a6769fe2fde5b39e294f9f81845b9eb7421279d8a9e26c611bf4a3a28545c
- SHA512
  
  dc160e3af8709872d26997f321de3c9079bba0d5769a4412a862725a441e5794d709d144cce20d15dd4a982d4815b7b41ff9699898f79cf5256b629650123a02
- SSDEEP
  
  49152:6wfBTHwOS4xhtDkW8LA8TiKnQ1X5o7EPF5HwdQ:7fFNS4xXzCA82KnQ1JoA9J+Q
Score

10^/10

amadey dcrat redline smokeloader grome backdoor evasion infostealer persistence rat trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeydcratredlinesmokeloadergromebackdoorevasioninfostealerpersistencerattrojan