amadey | c3302e85da983398265f853078caa80a9fafbfa5002e734c63381c724ad54c48 | Triage

Sharing

General

Target

d112da3669da0ca1489eef57ab3c6a6edcece5beea581b964b721679d66d79d7
Size

1.5MB
Sample

231101-ykj48scf4y
MD5

11baf84e51a2c3a6469db2d12d9df1f5
SHA1

34a5febeacfb91ce21ce4e72f47edc86cbeced58
SHA256

c3302e85da983398265f853078caa80a9fafbfa5002e734c63381c724ad54c48
SHA512

2bdbe2114207c19bee1890e6d793e49b4631cbb191f20df3ac120957807dd8428b76acfcb2d78ebdc5b425085ce7a09f53bd3f001c42ebfaf233891513f02aa4
SSDEEP

24576:W/yUo6T8tH1tuSOfLlN/E7st6kFi9lwS9fu3vSbDjVX72kAsn5e6RiUzqmoNIVXT:BeT8sZI7stU9lwCfo8fVL2M5en4oGJT

Score

10^/10

amadey dcrat redline smokeloader grome backdoor evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Targets

- Target
  
  d112da3669da0ca1489eef57ab3c6a6edcece5beea581b964b721679d66d79d7
- Size
  
  1.5MB
- MD5
  
  5144e7563fedae4f5db1f52e55a6af82
- SHA1
  
  08ea7334a42fc5b8718d93600e8d796713f5c0d7
- SHA256
  
  d112da3669da0ca1489eef57ab3c6a6edcece5beea581b964b721679d66d79d7
- SHA512
  
  fd63fff8a13a7ef6e000f2cd4fff0a58447354a28dc18116c4eef714f5659f0e570ff827102239d91614a15f9fd2fdf9a536339157b1eb293f363cde82c43d43
- SSDEEP
  
  24576:eyFguN811BVuzRfLpp/IJCBgkFE0b4vS9fmJfSJljRY72kAQn3eARmuOJIrY:t5N8ydoJCBpEvCfCI9RY2w3eFu1
Score

10^/10

amadey dcrat redline smokeloader grome backdoor evasion infostealer persistence rat trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeydcratredlinesmokeloadergromebackdoorevasioninfostealerpersistencerattrojan