amadey

General

Target

ea3081b6dd31197675f5d03c9853c2a8dd51868ac0bf7956cba0cfe1f7e8ae45.zip
Size

1.5MB
Sample

231119-z38qzsbf53
MD5

5cbc4d4d1b760f8ee5e218f8d3e05abb
SHA1

e1d65c564626be4b248b77c4a6cf8ba494ee7ea9
SHA256

c4a160dda352eefaf8c70029f2fe34d2804b6c828d108a6f986398205f75da8b
SHA512

d3f90d116ecffb1092a11fe9b4107b1e97bf8c4e291f63582a2604102a766fa39cb2a009a36e716ee64a41fb8d864cceaaab84b2663d26f626a922b7d0f3ee1e
SSDEEP

49152:EoHKwbn8tRkfsplh1fIz3pnZf02zIk2OFf:zUROilhp45l0A2af

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Targets

- Target
  
  ea3081b6dd31197675f5d03c9853c2a8dd51868ac0bf7956cba0cfe1f7e8ae45.exe
- Size
  
  1.5MB
- MD5
  
  4876370b4aa7cc5c03cbfc21da0d5c3b
- SHA1
  
  4cf8de2830dc960f37ba0dd0e8d50d6be0c90206
- SHA256
  
  ea3081b6dd31197675f5d03c9853c2a8dd51868ac0bf7956cba0cfe1f7e8ae45
- SHA512
  
  e9fe38309061dbd5ea49ae9f7337738074c7caa3db6163bba27a18c6cf7d071015383ccd6578792018c48fd9e25ef9a883341cf3db725bc42cd5fc50ec96552f
- SSDEEP
  
  24576:Myqv6Mq+w7oXYLxxccNUwCHCYqd+Rl0VxQW2Se7/+zCD13Y1:7qvPq+yJXUfjD0VD2SK/+zCD13
Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor paypal evasion infostealer persistence phishing rat stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1