amadey

Sharing

Copy URL

Twitter E-mail

General

Target

00cc92f1e99b2a765b43fe087c3c9dc3b06fc611d942fe455bc16ca1f2ab17f1
Size

1.8MB
Sample

240330-g7mp7sba46
MD5

de3d7fc154f052c04df136afde84d6fa
SHA1

82df237f38d5667ffec4e59be53ac1ab00831703
SHA256

00cc92f1e99b2a765b43fe087c3c9dc3b06fc611d942fe455bc16ca1f2ab17f1
SHA512

e7f0fc2575e921bb6a3a8ee29f978e49aeb586934334b1397b48c28a9388b7cac5689b24c4bffc74a25a29e1c7924581ad7a2a70564b9dee3a7017e97212b3b0
SSDEEP

49152:ib3LeR0TfuwdtCQOmT8CFRWJWzrORxYiZYHmXC5JCy46:jRgBCQvTjRlPONYjCy

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Jok123

185.215.113.67:26260

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Targets

- Target
  
  00cc92f1e99b2a765b43fe087c3c9dc3b06fc611d942fe455bc16ca1f2ab17f1
- Size
  
  1.8MB
- MD5
  
  de3d7fc154f052c04df136afde84d6fa
- SHA1
  
  82df237f38d5667ffec4e59be53ac1ab00831703
- SHA256
  
  00cc92f1e99b2a765b43fe087c3c9dc3b06fc611d942fe455bc16ca1f2ab17f1
- SHA512
  
  e7f0fc2575e921bb6a3a8ee29f978e49aeb586934334b1397b48c28a9388b7cac5689b24c4bffc74a25a29e1c7924581ad7a2a70564b9dee3a7017e97212b3b0
- SSDEEP
  
  49152:ib3LeR0TfuwdtCQOmT8CFRWJWzrORxYiZYHmXC5JCy46:jRgBCQvTjRlPONYjCy
Score

10^/10

amadey redline risepro zgrat @oleh_psp jok123 livetraffic evasion infostealer rat stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect ZGRat V1

RedLine

RedLine payload

RisePro

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Themida packer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2