amadey

General

Target

a138b72898e30ea18028693b9f1670b1.bin
Size

1.5MB
Sample

231102-c26tnshb97
MD5

81341fdf7d21d363336b9caaf99bde57
SHA1

eddf7c760305a0930bdf115e876ae11430ff17ac
SHA256

14cf13890f12d202f9960c1ed235b88c0c36bef403fe690bfb3753217fb6d78c
SHA512

3eee42aa16005f1aafa12a920483fafd044f79fc1c4a308cda4290a56dce043e1a59e3be595b4dc60d8983ebf82296f422ea993b6dafbec272faa4f38b5703bb
SSDEEP

24576:h//JqPIO00KB8n7LM/8PCHBXOGrW2oJE0JFTjcNnu5uuziauEQIg0CyPO7NE8pZP:h/cPIOdLn7LMlXJK2oJE0JFTopucuzMX

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Targets

- Target
  
  d10e1ac749cf2185f3c055253d44dbe8011ef7152c8fcc058b1552d86b9f77c6.exe
- Size
  
  1.5MB
- MD5
  
  a138b72898e30ea18028693b9f1670b1
- SHA1
  
  1257564ece8a860946b79e1596b7512539031d94
- SHA256
  
  d10e1ac749cf2185f3c055253d44dbe8011ef7152c8fcc058b1552d86b9f77c6
- SHA512
  
  2247e9f76bdd84265bfdf0f1d7fadc345a0f6954f732e62c4218c1b5f7c16f8589492b5f7dd6cfd348825ded228dcf5c5be18499743de4fc35ec8ff4b9f66271
- SSDEEP
  
  24576:IyOHYYPUyKXDTGEw+9BSHz5NZjFCbjBFEe0qNZ2sALHfBYvfplwGqypr2osk:Py2yGtAHRg3PEenNYsrfOCW
Score

10^/10

amadey dcrat redline smokeloader grome kedru plost backdoor paypal evasion infostealer persistence phishing rat trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1