amadey

General

Target

c0a814071b61136589ed07da216f842be99122c592615b63122be04581059200
Size

1.5MB
Sample

231101-x2l5gscc31
MD5

1b249eb8332dc9981bd0a2c4cb98119f
SHA1

a4ce697b328b800be92e1151007d4efbc43d2201
SHA256

c9ec024605557d1ffafc4c077e527c3904dc2c57445451c395c54d77dc1c5302
SHA512

be1a133f783bfe83696195e63ffb47bd1e1fd55fc0e43f9aeca7716ae78512f7334710886a0ff3d0519463b2db27b8e96dd05e5f507d10f3752a794f06ff97e9
SSDEEP

24576:GPoyAqPsEjNe4GiNI4V0BnVIQKvZLkLdpPsyGKNuu6Yu/SelpJoOhplcIByYjYvc:IvAqPsEjk4GiNIdVIQKvNEPkoIwYLR

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Targets

- Target
  
  c0a814071b61136589ed07da216f842be99122c592615b63122be04581059200
- Size
  
  1.5MB
- MD5
  
  227e079e196474e1d0cc1012129edfec
- SHA1
  
  5648b0823e5035ae88b71676acc47f7070977a1b
- SHA256
  
  c0a814071b61136589ed07da216f842be99122c592615b63122be04581059200
- SHA512
  
  00b21d9c8c4d052d802ba22a89f54a3dc477b62e5360ec8059cdc0d071c5aa0534ddaf7f2d7b5d490200717cb4cbefd86afefe4a1fa0968686d658e9f24f3484
- SSDEEP
  
  24576:8ygPIkjz+U8ON6sh0BjVuAKvB985XJFWy6APuw0Yu/SeT2xwX0VYSy3Axt:rgPIkjaU8ON6zZuAKvLkz+X0+Sye
Score

10^/10

amadey dcrat redline smokeloader grome backdoor paypal evasion infostealer persistence phishing rat trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1