amadey | 4d79cda714ec0273d7fdcb1ad6b1116e9a1770f1eda03487cdd4d47b2b851b66 | Triage

Sharing

General

Target

457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.zip
Size

1.5MB
Sample

240402-mbcg9afb23
MD5

068eee6dda15b48eb2898dc73eb24a63
SHA1

feee9b7972b1a51a75b6da2441ae56c6cb1f6bf5
SHA256

4d79cda714ec0273d7fdcb1ad6b1116e9a1770f1eda03487cdd4d47b2b851b66
SHA512

334d757c7f61389a0f0288a231b20fbf050cf553f884e14464035674948f450983294490c3bceefb53a09965d23aefbb1aa031ecb1454fbb296b1c77bd449caf
SSDEEP

24576:+PUpfUBY/szs4fzmz+shkRGGi5YbmSTTGqInz3EUnXKRwtnVU0CPIxh/86:rpf7/szs47GJOTqlYUIYlCPIPV

Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

homed

C2

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Targets

- Target
  
  457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e.exe
- Size
  
  1.5MB
- MD5
  
  b8a26d9c386ec312fd8470f0b728873d
- SHA1
  
  7fa5f682d9366c13c1ebfccd8b6c4ab4335ecc88
- SHA256
  
  457c1c09953a40ae6f672b1f59c3850869b22e5dcc5932fee87986b64310236e
- SHA512
  
  722d78ff2e3a77030c50b268c84e77339d86044f0c7eae20470d232f14d65c1a58a92889b9eeaa97908d65907d934ffbdda81a2f505ff3309a61b63540e18ee8
- SSDEEP
  
  24576:myab630MZL5fUEHJspwjRtFwMccpgrCp0tu69yL0FnhVQyNZQ:1abEdZ9fnp44TfcLAevQyNZ
Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeymysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistencestealertrojanupx