amadey

Resubmissions

17-02-2024 10:02

240217-l24trade9w 10

17-02-2024 08:08

240217-j1qvdsdc95 10

Sharing

Copy URL

Twitter E-mail

General

Target

049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97
Size

1.8MB
Sample

240217-j1qvdsdc95
MD5

c9d376e79eb0251dfb1b0fb3e8b76afc
SHA1

b7630bdc371afbf8085c3e067f3292dbf7c436e3
SHA256

049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97
SHA512

6b23e23e0a960e7e8dc1bcfd8bd47d0df595b54db18c7f761273e767d75de58a7666d837036b4d6229e072ca2a871f75eb9457449a71759cba651d4efea0d218
SSDEEP

49152:6zryoaJgiTbUaOhHtjJSG1Eix9yRtQzYx7ZJXgsY+3n:s+DqiTw14yjyUMx7Dgs53

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

new

185.215.113.67:26260

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

@oni912

45.15.156.209:40481

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTrafic

20.218.68.91:9552

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

remcos

Botnet

1800

xrootx.zapto.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
viewer.exe
copy_folder
viewer
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
viewer
mouse_option
false
mutex
Rmc-BAHBFO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lumma

https://mealroomrallpassiveer.shop/api

https://gemcreedarticulateod.shop/api

https://secretionsuitcasenioise.shop/api

https://claimconcessionrebe.shop/api

https://liabilityarrangemenyit.shop/api

https://triangleseasonbenchwj.shop/api

https://resergvearyinitiani.shop/api

Targets

- Target
  
  049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97
- Size
  
  1.8MB
- MD5
  
  c9d376e79eb0251dfb1b0fb3e8b76afc
- SHA1
  
  b7630bdc371afbf8085c3e067f3292dbf7c436e3
- SHA256
  
  049dc901492d208bc49729c2e8e0ccd7aa832e9ea499ac932b3af93f4fa2ef97
- SHA512
  
  6b23e23e0a960e7e8dc1bcfd8bd47d0df595b54db18c7f761273e767d75de58a7666d837036b4d6229e072ca2a871f75eb9457449a71759cba651d4efea0d218
- SSDEEP
  
  49152:6zryoaJgiTbUaOhHtjJSG1Eix9yRtQzYx7ZJXgsY+3n:s+DqiTw14yjyUMx7Dgs53
Score

10^/10

amadey evasion trojan dcrat glupteba lumma redline remcos rhadamanthys risepro smokeloader zgrat 1800 @oni912 livetrafic new backdoor discovery dropper infostealer loader persistence rat rootkit spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2