amadey

General

Target

ec2c94a21a52027c229a7824d4a1c5ca.bin
Size

780KB
Sample

240124-evdwesaec6
MD5

1deba99ab90bb289c3d1a80b67dd8a04
SHA1

7242e9b7435c8f28d6b6a0c222012245f54780ac
SHA256

3c2e54cf5340c3b1c1a013e1748db7359339eb1280d73f7f3278eab8c40f7b63
SHA512

df110ff8a64bd94e5365959bf3f070d5af4272a3ad55a8bf54672964f6973c9bd8dedb82ff3231c5040f9e9502e5b5236705143070372a9a86f02419cb812601
SSDEEP

12288:2hXBVDri2lkeM8028oPkVrda0U/yyeyqaW25zl/RCrTCW9/deBCjAsHu/obP2CN+:2hXBRri2w528ocbaQPswaW9/dw6u/o6P

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

C2

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

C2

193.233.132.62:50500

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.113.35.45:38357

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

C2

141.95.211.148:46011

Extracted

Family

redline

Botnet

@PixelsCloud

C2

94.156.67.176:13781

Targets

- Target
  
  cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
- Size
  
  791KB
- MD5
  
  ec2c94a21a52027c229a7824d4a1c5ca
- SHA1
  
  b17aa25017bf7d0af7ffb946bcace0d51331d351
- SHA256
  
  cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
- SHA512
  
  f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761
- SSDEEP
  
  24576:Skt2zwjdnAwQ4x2K3yWds0JkKyV0+mZbmNrUCV+7d9/1:PnnAlpadsLK+mZSgfpF
Score

10^/10

amadey redline risepro xmrig zgrat discovery evasion infostealer miner persistence rat spyware stealer trojan @pixelscloud @rlreborn cloud tg: @fatherofcarders)livetraffic
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2