amadey

Target

4363463463464363463463463.bin.zip
Size

4KB
Sample

240110-r2wq2ahchl
MD5

4204f7bcb4ce002240de2af9fc5f4264
SHA1

83fb5688b0cffa93b06719d0fc5b62f70af460c5
SHA256

0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d
SHA512

75a636889904293bb493957af9fecf5ad044ff44bb82c07b550473e6af45931ece7f2e72b53891a90c4045f8d816752414c560d2486f055824f069e6573bf103
SSDEEP

96:fq6yIIHV+fWsPpulzlC8luqtW5idkvRmb/DLr2OtWtvJAsO13uhy5RKd9Wj:BIHV8WN5lu4iiTD/COtSvJAF1Gy5RKdC

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

cheat

103.173.227.25:12664

Extracted

Family

redline

Botnet

kent

89.23.98.143:11627

Attributes

auth_value
24d164ebaf8f462b9dc88d186199283b

Extracted

Family

amadey

Version

4.15

http://5.42.66.0

Attributes

install_dir
2154552ab1
install_file
Dctooux.exe
strings_key
6336764a2dd0b02921ade5383944a3f8
url_paths
/f7Vkbh7X/index.php

rc4.plain

Targets

- Target
  
  4363463463464363463463463.bin
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

betabot redline sectoprat smokeloader cheat lab backdoor botnet evasion infostealer persistence rat trojan dcrat zgrat kent bootkit spyware themida upx amadey glupteba socks5systemz xmrig discovery dropper loader miner rootkit pyinstaller
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- BetaBot
  Beta Bot is a Trojan that infects computers and disables Antivirus.
  trojan backdoor botnet betabot
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Socks5Systemz Payload
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socks5Systemz
  Socks5Systemz is a botnet written in C++.
  botnet socks5systemz
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Disables taskbar notifications via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Looks for VMWare services registry key.
  evasion
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4