amadey | 7f91b0066e36a8a2555c2a65bac5c760ceadd130fa3a1962a7de7cbed78dcfa3 | Triage

Sharing

General

Target

bfb38f4b63cad4967ed1fb59263513a57b05fa16dd1daa66887128e169a4eb03.zip
Size

1.5MB
Sample

240402-mbhz2afb36
MD5

d246efd8e8fcfc5ee2c09329248df3dd
SHA1

6a5ce09d1ff1aca4bf079cd19cd005dfd5f68672
SHA256

7f91b0066e36a8a2555c2a65bac5c760ceadd130fa3a1962a7de7cbed78dcfa3
SHA512

4724e4e3dca70460f183080a3c88ca65b01af865275707c342664047b0853ce352379f599ebc56d2556d594c6eee93227fd41a923f5cf932d057aedf63a12ce0
SSDEEP

24576:lrv6FCNrxxizGvpjASHNHn75Pjhglsf2AYArP3GgmodJv14HrYT6:lryWr6GBjASHNHnVvf2eyIuLYT6

Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

homed

C2

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Targets

- Target
  
  bfb38f4b63cad4967ed1fb59263513a57b05fa16dd1daa66887128e169a4eb03.exe
- Size
  
  1.5MB
- MD5
  
  380ee9a587e65797b4ceca5871ef37a5
- SHA1
  
  aff15c787ee6fb8765730aec417bbc0a1751c4bc
- SHA256
  
  bfb38f4b63cad4967ed1fb59263513a57b05fa16dd1daa66887128e169a4eb03
- SHA512
  
  873c11818b0abd2d7ef02d50351b4f82b26d191e61d2bb40229811b39a0e4f31add06de80e94d76685fc94e6b8ea9cfe3adbeff6d9e7533e610d4a34c7891d5f
- SSDEEP
  
  24576:zyz3oBK18C/qnEE2+rj+RIYtLip+FxSLjps0eRcmMZ/wQR4:GzB8CVH40tOpqIJbZIQR
Score

10^/10

amadey mystic redline smokeloader homed backdoor evasion infostealer persistence stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeymysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistencestealertrojanupx