amadey | ae0ab06b1b25513a17b11b0958cbef553d2c815adc8d7d421070ed1ef47ea9f5 | Triage

Sharing

General

Target

462775da57daa6fba336ad88e62f95256834160417f94a07b5c34891e2887814
Size

1.5MB
Sample

231101-wzc85abe6t
MD5

d7b9e80cf2f7faf078630caa223bb4c7
SHA1

7a57ffefbba02ab9e01c5587e85f1c1c51b8df71
SHA256

ae0ab06b1b25513a17b11b0958cbef553d2c815adc8d7d421070ed1ef47ea9f5
SHA512

f9ffb5b4bb46e9cb433a8328e25acaf6baf40d80117813318aae58062e0e10e3caf226672cf4a62c6da3f94b5855fdf86ef59b05ce13b2989adb285bf88dec0c
SSDEEP

24576:dyFhdE7HB4K3yUaNqvoHZj+qKmMxygUdHUJMTCW7E1Ze2+jw/+f:4FhayKraNqvuZJ7S6HUJM5E1Z24+f

Score

10^/10

amadey redline smokeloader grome backdoor paypal evasion infostealer persistence phishing trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Targets

- Target
  
  462775da57daa6fba336ad88e62f95256834160417f94a07b5c34891e2887814
- Size
  
  1.5MB
- MD5
  
  f5f0c412eef5d991ae6e8677ff9d5d12
- SHA1
  
  80bfc92a37f53fde55a2856f696d4028310dacc6
- SHA256
  
  462775da57daa6fba336ad88e62f95256834160417f94a07b5c34891e2887814
- SHA512
  
  771729d0ec9662dd41c7d0267a72816ecde7c7d50efb91d1a2d11d7d464ee8138c2c28bed21e1a5f4aeb55f74ca9ac798479e4ba760e4a43c66b47f3301bb71a
- SSDEEP
  
  24576:eye2hJEnB0z+yT7qvo9DjCqf2MxogUhHUJQgsZr1qyMD2ojwWRHl:tlh7zbqvkD9+SWHUJaDM7JRH
Score

10^/10

amadey redline smokeloader grome backdoor paypal evasion infostealer persistence phishing trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

amadeyredlinesmokeloadergromebackdoorpaypalevasioninfostealerpersistencephishingtrojan