amadey

General

Target

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977
Size

1.8MB
Sample

240428-ht31psag3y
MD5

8196ce484e7137d2ad7be00255ddc42c
SHA1

3c15db55a651787b3e7ce168dc83b47dfda4caff
SHA256

a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977
SHA512

3566c3ebdffadb02da673b5791f36d7d449e3f29c650dd73c975cf0545c7b7e629a9c6906be5ab09bef3d29deb448479396b37f96872d05d1281af3bdb2f812c
SSDEEP

49152:03/bnMUU8XZfvoXtYRBYdC/kCNBPL6VWWts/UyyXh+FzmH:0jnMU7ZXo9YsC/kCPL6Z+0Am

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

91.92.252.220:7000

41.199.23.195:7000

saveclinetsforme68465454711991.publicvm.com:7000

Mutex

bBT8anvIxhxDFmkf

Attributes

Install_directory
%AppData%
install_file
explorer.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

aes.plain

Extracted

Family

stealc

C2

http://185.172.128.62

Attributes

url_path
/902e53a07830e030.php

Targets

- Target
  
  a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977
- Size
  
  1.8MB
- MD5
  
  8196ce484e7137d2ad7be00255ddc42c
- SHA1
  
  3c15db55a651787b3e7ce168dc83b47dfda4caff
- SHA256
  
  a70bef9e7c594db6f948ed275fb995527f92bf4536da46b0f0a134f1092c1977
- SHA512
  
  3566c3ebdffadb02da673b5791f36d7d449e3f29c650dd73c975cf0545c7b7e629a9c6906be5ab09bef3d29deb448479396b37f96872d05d1281af3bdb2f812c
- SSDEEP
  
  49152:03/bnMUU8XZfvoXtYRBYdC/kCNBPL6VWWts/UyyXh+FzmH:0jnMU7ZXo9YsC/kCPL6Z+0Am
Score

10^/10

amadey glupteba risepro stealc xworm dropper evasion loader persistence rat stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Xworm Payload
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2