amadey

Sharing

General

Target

37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3
Size

1.5MB
Sample

240513-283g9she6t
MD5

a155de8690462c0959f2ea4909d882a5
SHA1

fdb6464008104acb947d0796f4f39194fd7caa5b
SHA256

37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3
SHA512

3506261ec12974f0fa0b4d4454f351329c9b740d438ab37c5f5eac8ea7738b69afb6c8a994ee638cd714e3aa9f8900831e38c68ee0bd7ac62ba716ebd2e4499e
SSDEEP

24576:xKE/S7xqKnUjVto5Naoqc0sCxYBF87pDjpi9WPpQ45OpY/uMWT7/gV0we:oE/S7xFUJyhqVsZGds9WJ5OK//W/YVZe

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Targets

- Target
  
  37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3
- Size
  
  1.5MB
- MD5
  
  a155de8690462c0959f2ea4909d882a5
- SHA1
  
  fdb6464008104acb947d0796f4f39194fd7caa5b
- SHA256
  
  37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3
- SHA512
  
  3506261ec12974f0fa0b4d4454f351329c9b740d438ab37c5f5eac8ea7738b69afb6c8a994ee638cd714e3aa9f8900831e38c68ee0bd7ac62ba716ebd2e4499e
- SSDEEP
  
  24576:xKE/S7xqKnUjVto5Naoqc0sCxYBF87pDjpi9WPpQ45OpY/uMWT7/gV0we:oE/S7xFUJyhqVsZGds9WJ5OK//W/YVZe
Score

10^/10

amadey redline risepro stealc xworm zgrat 1 @cloudytteam evasion execution infostealer persistence rat stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Xworm Payload
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2