amadey

Sharing

Copy URL

Twitter E-mail

General

Target

67cb1519b04712177716a6c87cf51264.exe
Size

790KB
Sample

240119-q2yd7afgb5
MD5

67cb1519b04712177716a6c87cf51264
SHA1

e77caf42107a191354ffb6c978be9eb7f09da831
SHA256

00c430ff9419de414c9a73a7dbbdbc1ca235e509e7d89c5ea2f948938c869ab0
SHA512

570634c4da43101fe3643434bd37c80627d1b3c88094d7b276dba00b80aba8af4528dcc0ed2122560f3d5557b96e7c26a156e34e8dca3a5a799386a0cfcbdb61
SSDEEP

24576:poxaB/nPwQbaiyIakEL5JYqDZbmNrU0W0Rl:pP/nPlLL85JRZSgu

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

fabookie

http://app.alie3ksgaa.com/check/safe

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

redline

Botnet

@Pixelscloud

94.156.65.198:13781

Targets

- Target
  
  67cb1519b04712177716a6c87cf51264.exe
- Size
  
  790KB
- MD5
  
  67cb1519b04712177716a6c87cf51264
- SHA1
  
  e77caf42107a191354ffb6c978be9eb7f09da831
- SHA256
  
  00c430ff9419de414c9a73a7dbbdbc1ca235e509e7d89c5ea2f948938c869ab0
- SHA512
  
  570634c4da43101fe3643434bd37c80627d1b3c88094d7b276dba00b80aba8af4528dcc0ed2122560f3d5557b96e7c26a156e34e8dca3a5a799386a0cfcbdb61
- SSDEEP
  
  24576:poxaB/nPwQbaiyIakEL5JYqDZbmNrU0W0Rl:pP/nPlLL85JRZSgu
Score

10^/10

amadey fabookie glupteba redline risepro smokeloader stealc xmrig @pixelscloud @rlreborn cloud tg: @fatherofcarders)pub1 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Modifies boot configuration data using bcdedit
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2