amadey

General

Target

acd37de7a2b18eaf223db696acd21360c7c2f68f2945bd33bb51a8c224ef78fd
Size

892KB
Sample

231102-17b39agc9v
MD5

ab0e9316c93ab669e4c187b2cabdf712
SHA1

c664af486784cf95a34276e17a58a79e8af652de
SHA256

acd37de7a2b18eaf223db696acd21360c7c2f68f2945bd33bb51a8c224ef78fd
SHA512

2db6e95f5bf5dfd04ff874b55f3dffdc3179a9fde104bb512bce5328e58a10ad4b50126ca99e6ad4a05baba2474a37396b1b31b5e9a09ebb26766db054295740
SSDEEP

12288:xrB5SejmdYPenb2U7vqx0T2vFEnrv9TpxfoxhOuuSVKqDZe:ptj+YPenb2U7vqennrvPFk

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew2.0

C2

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Targets

- Target
  
  acd37de7a2b18eaf223db696acd21360c7c2f68f2945bd33bb51a8c224ef78fd
- Size
  
  892KB
- MD5
  
  ab0e9316c93ab669e4c187b2cabdf712
- SHA1
  
  c664af486784cf95a34276e17a58a79e8af652de
- SHA256
  
  acd37de7a2b18eaf223db696acd21360c7c2f68f2945bd33bb51a8c224ef78fd
- SHA512
  
  2db6e95f5bf5dfd04ff874b55f3dffdc3179a9fde104bb512bce5328e58a10ad4b50126ca99e6ad4a05baba2474a37396b1b31b5e9a09ebb26766db054295740
- SSDEEP
  
  12288:xrB5SejmdYPenb2U7vqx0T2vFEnrv9TpxfoxhOuuSVKqDZe:ptj+YPenb2U7vqennrvPFk
Score

10^/10

amadey dcrat redline sectoprat smokeloader @ytlogsbot kedru pixelnew2.0 plost up3 backdoor google discovery evasion infostealer persistence phishing rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detected google phishing page
  phishing google
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1