amadey

General

Target

04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.zip
Size

1.2MB
Sample

240402-mrnkfsga28
MD5

b9fe594fc0cf6191964240dc085876a6
SHA1

f6cbde1b8a2fb33fdaaf30eaba13e7039861f4b0
SHA256

22d7d2c9a643427938ccec82d5713c89f868e5aff8b3e1554c0b0fe1452a34ce
SHA512

a2b714d8119a634b5f6a27a27fe3802bf033a3a7a14cf576b27cdf4a2827d12dbb30471a9fffefe008350ff12b2d6113e0d980bc7efdba9ba44b4b56c330c106
SSDEEP

24576:YXUdS97nGLYZUBvqlNbTtooEbSLKuN3aqfcSQg6GggWE3Bpv8V3FHJ+RViWz:YE2cSwqnbTtooMSLKuJvczYZ0V3FpIiM

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Targets

- Target
  
  04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f.exe
- Size
  
  1.3MB
- MD5
  
  9e812f3cb3b6bd7057626dc1f8f40df2
- SHA1
  
  768b2df69ccd958e0865575e10f42b98bafdba21
- SHA256
  
  04428661fa0f0fdab52725224d5e1dca6e612b7dbd26a4f1688045b0c7e0324f
- SHA512
  
  69f3903c483f01f1835bf54f52c78c25dc62ca8f24ad3020c754aa44230ac3bc55eeb1c6cec18b7511d23aad33f56ada18ce5875d67b07aa144de9b6013e5156
- SSDEEP
  
  24576:uyENvyaKYUdsbl1Vtkig+4xZCUVjjEpB1eA1cOTYDXaVKpHky:9SPjb/8dDMUVjkWvOTYwwH
Score

10^/10

amadey dcrat mystic redline smokeloader grome backdoor evasion infostealer persistence rat stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1