amadey

Sharing

Copy URL

Twitter E-mail

General

Target

531292f4b404a53a700330fa4d622d80b3b72ca2c2f525d7fe0009381fb471c0
Size

260KB
Sample

240121-19z8vsbee9
MD5

458210ef2582bca66b0afd0f218cfabe
SHA1

84380de56730f62f60c3b45d91e7434664e57b04
SHA256

531292f4b404a53a700330fa4d622d80b3b72ca2c2f525d7fe0009381fb471c0
SHA512

a21b1bb648a0a230aa156c2f90b4b465e128b20da79b47cc6b7f98abe7e20084fd502a1790b6ed2e37e3974413e0b75edd44b3f9491c4f2c97b1062be0b0da42
SSDEEP

3072:xkhue6/cSz90u2DEJClClQoyLZrs+f6hMCgin21DX7QfrehPY7IQPJUtw+h0j:xkh/BEQ0SBs+f6/gnEre5YEQRE2

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

45.15.156.60:12050

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

91.92.248.67:6606

91.92.248.67:7707

91.92.248.67:8808

Mutex

MOgiiF6Liim5

Attributes

delay
3
install
false
install_file
temp.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

ST12

185.172.128.33:38294

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

amadey

Version

4.17

http://185.196.10.34

Attributes

install_dir
eff1401c19
install_file
Dctooux.exe
strings_key
6e23b5eadc27bb0b2eaebdd4fed1beb2
url_paths
/b8sdjsdkS/index.php

rc4.plain

Targets

- Target
  
  531292f4b404a53a700330fa4d622d80b3b72ca2c2f525d7fe0009381fb471c0
- Size
  
  260KB
- MD5
  
  458210ef2582bca66b0afd0f218cfabe
- SHA1
  
  84380de56730f62f60c3b45d91e7434664e57b04
- SHA256
  
  531292f4b404a53a700330fa4d622d80b3b72ca2c2f525d7fe0009381fb471c0
- SHA512
  
  a21b1bb648a0a230aa156c2f90b4b465e128b20da79b47cc6b7f98abe7e20084fd502a1790b6ed2e37e3974413e0b75edd44b3f9491c4f2c97b1062be0b0da42
- SSDEEP
  
  3072:xkhue6/cSz90u2DEJClClQoyLZrs+f6hMCgin21DX7QfrehPY7IQPJUtw+h0j:xkh/BEQ0SBs+f6/gnEre5YEQRE2
Score

10^/10

amadey asyncrat dcrat loaderbot redline risepro smokeloader zgrat default logsdiller cloud (tg: @logsdillabot)pub1 st12 backdoor discovery infostealer loader miner persistence rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect ZGRat V1
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Async RAT payload
  rat
- LoaderBot executable
- Downloads MZ/PE file
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

AsyncRat

DcRat

Detect ZGRat V1

LoaderBot

RedLine

RedLine payload

RisePro

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Async RAT payload

LoaderBot executable

Downloads MZ/PE file

Deletes itself

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2