amadey

Sharing

General

Target

21cd7586b33a785b66ecded76d05c238.bin
Size

1.8MB
Sample

240327-bt8gvsha75
MD5

7a9be94873aa51893240b462bc4ed069
SHA1

7719da7ebe2f496247c604b17f68423e5689690d
SHA256

20ae443a1f3603f13d11f495108d0d74afcdf3c9c1aac96a56e9a7b0eca22bf5
SHA512

fba5d6cfe305d13a58254e1efbf19094c287157610e3dc11631f975e740f7430a4ff6d0cc4a6378c661ec59656e2219d146ea026f3935b766207c4842e623fe4
SSDEEP

49152:PHGSYWzDc8UlUurKsQ/RzoLe/K1ySbQSahYCgu9Bz:iSc3Db+ueXJSyYCgu9Bz

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Targets

- Target
  
  682e5a143bf1041ee0d8cf47c9d8c0aad22cb9fa2cd353dbe367a80011e9a158.exe
- Size
  
  1.8MB
- MD5
  
  21cd7586b33a785b66ecded76d05c238
- SHA1
  
  d2a004ee0d3355acd845acc8b5a02d78be29884c
- SHA256
  
  682e5a143bf1041ee0d8cf47c9d8c0aad22cb9fa2cd353dbe367a80011e9a158
- SHA512
  
  9b0a45877e9a4a51e8632c22b23e985aaf9277100142f1f90a109f12b38209400e45903970fb4f608774bb17ab34625414e7b5cf917023c4a5cc13fd1433ee98
- SSDEEP
  
  24576:Foo0BavrjK/btvFFdVLNZCNSrlBfc0b3LAoI+RF4YOXfQkYzPi1w4EWUz0T9Z0/4:50D7f9CqK0b3NYdYzs9EkE
Score

10^/10

amadey evasion trojan purelogstealer redline smokeloader zgrat @oleh_psp livetraffic backdoor discovery infostealer rat spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect ZGRat V1

PureLog Stealer

PureLog Stealer payload

RedLine

RedLine payload

SmokeLoader

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2