amadey

General

Target

9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f
Size

1.7MB
Sample

240514-b3c3baef37
MD5

b254d967e0168d87fd7314c2462f12ed
SHA1

855881b54033e663cdc506538cde1038de584287
SHA256

9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f
SHA512

d57688208e5b204e8782230eaa110a908d9abd05c8a0f965d50aee054d1e0dd9d4b48c9274aeea01bed9f95a9341e6e095396e476b61d4fd5bbbdc689b8be4f3
SSDEEP

24576:MCj5TBuC1y1q8EsGR8XFnmjAROke0z2hBM4jYtAhug9+cmqgDC/tXGrLOfekwh:MCNM4nNIFmjJ0JLzW+cmvCFGdp

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

185.172.128.33:8970

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Targets

- Target
  
  9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f
- Size
  
  1.7MB
- MD5
  
  b254d967e0168d87fd7314c2462f12ed
- SHA1
  
  855881b54033e663cdc506538cde1038de584287
- SHA256
  
  9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f
- SHA512
  
  d57688208e5b204e8782230eaa110a908d9abd05c8a0f965d50aee054d1e0dd9d4b48c9274aeea01bed9f95a9341e6e095396e476b61d4fd5bbbdc689b8be4f3
- SSDEEP
  
  24576:MCj5TBuC1y1q8EsGR8XFnmjAROke0z2hBM4jYtAhug9+cmqgDC/tXGrLOfekwh:MCNM4nNIFmjJ0JLzW+cmvCFGdp
Score

10^/10

amadey redline risepro xworm zgrat 1 @cloudytteam evasion execution infostealer persistence rat stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Xworm Payload
- Detect ZGRat V1
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2