amadey

Sharing

Copy URL

Twitter E-mail

General

Target

aeb3236afddb12ba3c0c18e7e842948c.bin
Size

780KB
Sample

240205-dpmqpsbaan
MD5

66a6a59f67fbbfd4e6ed56c85e2b3d7f
SHA1

62b9426924cf6567e1ed78789f75d5f749987c25
SHA256

b7aef2c40c16194058d8d3c09bf6bba311800b3f138eebc8f161516446f7d147
SHA512

e38bffec6e16be63dd8ef553d0d28abc0109056b913d63807a13f8f302b76548984d6b79df519033c05b1e10f7c418f2b96ea72ce1b6254fe1d7b5f77bf45053
SSDEEP

24576:jRAx17xdLtvGXwmyl3lOQiFh/sUISf+z41j2Esr/yXhIA:+x17rLoXtO3MQcVsl0Vsr2

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@oni912

45.15.156.209:40481

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

redline

Botnet

LiveTrafic

20.79.30.95:33223

Targets

- Target
  
  b7d749fb9ae8ad5fff025f69cbfb54c6b52e559fc989e46622e53a662a667c5e.exe
- Size
  
  793KB
- MD5
  
  aeb3236afddb12ba3c0c18e7e842948c
- SHA1
  
  de2aabf5bc14532e9f0f9afe6ed401cc5debab84
- SHA256
  
  b7d749fb9ae8ad5fff025f69cbfb54c6b52e559fc989e46622e53a662a667c5e
- SHA512
  
  a98f031f7acc3a98a07b9f3830ea6f728804d67b5bff160d74d74aa7f03b82bb9d988edf8594f0f06983f655f36de43ff5d866faeb0a62237c568c742226a1d8
- SSDEEP
  
  24576:+5Zn6l5jnFwQvBaWnBCq/3/vncikZbmNrUfhXHNv:yn6rnFlvBaWnt/38ikZSgZX
Score

10^/10

amadey trojan redline zgrat @oleh_ps @oni912 @pixelscloud livetrafic evasion infostealer persistence rat
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2