amadey

General

Target

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab
Size

1.8MB
Sample

240219-ty883agf36
MD5

ddb4cd4e446a27ca61d36b778ea0272b
SHA1

fba5a59b90b7a8a6497a38198d52713cfb9b9893
SHA256

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab
SHA512

d8cd0eff6d5f563a6299eeed304bc62d5e6be6f97cf210718ee31560aebdb911bbdd64fbd2d1ef35de497a1252e5787df4514ab454a73d3a581d0cc8497265b5
SSDEEP

49152:JxBEupI7MajV+P6nBgS9V36b9jvF2g2WWe1xt:JxBE6I7M1P/Y36b9jcgAe9

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

new

C2

185.215.113.67:26260

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

risepro

C2

193.233.132.62

193.233.132.62:50500

Targets

- Target
  
  306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab
- Size
  
  1.8MB
- MD5
  
  ddb4cd4e446a27ca61d36b778ea0272b
- SHA1
  
  fba5a59b90b7a8a6497a38198d52713cfb9b9893
- SHA256
  
  306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab
- SHA512
  
  d8cd0eff6d5f563a6299eeed304bc62d5e6be6f97cf210718ee31560aebdb911bbdd64fbd2d1ef35de497a1252e5787df4514ab454a73d3a581d0cc8497265b5
- SSDEEP
  
  49152:JxBEupI7MajV+P6nBgS9V36b9jvF2g2WWe1xt:JxBE6I7M1P/Y36b9jcgAe9
Score

10^/10

amadey evasion trojan glupteba redline risepro xmrig zgrat new discovery dropper infostealer loader miner persistence pyinstaller rat spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2