amadey

General

Target

0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
Size

1.8MB
Sample

240425-17et5sfh3y
MD5

31e45caea6d338f180c2ef2dbf17aa6e
SHA1

e141b38e3bb7a3fe62a41c16ffb319d082fda78e
SHA256

0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
SHA512

446793aa76caf5a0bfadf952c369b60a765f44cc1c3813828e2c6a8859646740a293ad2e993a7dbb4ccebcf65123b284535666110a596e83efb1f15fc734a5f2
SSDEEP

49152:b3/bnud5CVqm5o2Zp2irYvAtwrua/EOqjV4ex:bjnuDAJkI/Ofe

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

185.172.128.33:8970

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes

strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

stealc

C2

http://52.143.157.84

http://185.172.128.76

Attributes

url_path
/c73eed764cc59dcb.php

Targets

- Target
  
  0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
- Size
  
  1.8MB
- MD5
  
  31e45caea6d338f180c2ef2dbf17aa6e
- SHA1
  
  e141b38e3bb7a3fe62a41c16ffb319d082fda78e
- SHA256
  
  0221d2c97ba972cec231a6d5ed1a9cae509d1a10ef5d148b43cb778e4267af01
- SHA512
  
  446793aa76caf5a0bfadf952c369b60a765f44cc1c3813828e2c6a8859646740a293ad2e993a7dbb4ccebcf65123b284535666110a596e83efb1f15fc734a5f2
- SSDEEP
  
  49152:b3/bnud5CVqm5o2Zp2irYvAtwrua/EOqjV4ex:bjnuDAJkI/Ofe
Score

10^/10

amadey risepro evasion persistence stealer trojan redline stealc zgrat @cloudytteam infostealer rat themida
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2