amadey

Sharing

Copy URL

Twitter E-mail

General

Target

ab31ce3d8435d9d31eb80309924c56a9.exe
Size

792KB
Sample

240203-wlvw1shebr
MD5

ab31ce3d8435d9d31eb80309924c56a9
SHA1

60f1f567faffa6a38fa482ea4483255827ec06d5
SHA256

d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
SHA512

e5feeb7fd610879e680be3b97c7c108521c81aa910e350f2e11172f8136f7df43ec0ca44d3353b25cf7c370a3445909f9d74a12249a75b85547ebc7fcfb658af
SSDEEP

12288:2BghBmftb1V6Lnmo7YNQN2YcKify3iHPuXBY7CHW6+gjfOoNb9up:2Bscftb+LnvwQgsiK3zXBon9iZNA

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTrafic

20.79.30.95:33223

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@oni912

45.15.156.209:40481

Targets

- Target
  
  ab31ce3d8435d9d31eb80309924c56a9.exe
- Size
  
  792KB
- MD5
  
  ab31ce3d8435d9d31eb80309924c56a9
- SHA1
  
  60f1f567faffa6a38fa482ea4483255827ec06d5
- SHA256
  
  d4fb8d5a5a69af75715a025e51606825e4f17ca9ffa264979853f08a689b867b
- SHA512
  
  e5feeb7fd610879e680be3b97c7c108521c81aa910e350f2e11172f8136f7df43ec0ca44d3353b25cf7c370a3445909f9d74a12249a75b85547ebc7fcfb658af
- SSDEEP
  
  12288:2BghBmftb1V6Lnmo7YNQN2YcKify3iHPuXBY7CHW6+gjfOoNb9up:2Bscftb+LnvwQgsiK3zXBon9iZNA
Score

10^/10

amadey djvu redline risepro xmrig @pixelscloud livetrafic discovery evasion infostealer miner persistence ransomware stealer trojan upx privateloader @oni912 collection loader
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2