amadey

Resubmissions

14-05-2024 20:58

240514-zsfmfsgb6s 10

14-05-2024 20:53

240514-zplpasfh6x 10

14-05-2024 19:25

240514-x4yajach28 10

Sharing

Copy URL

Twitter E-mail

General

Target

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
Size

1.8MB
Sample

240514-zplpasfh6x
MD5

2307c3f2702a53fdc03bf2f05fe51a25
SHA1

5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
SHA256

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
SHA512

14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
SSDEEP

49152:VKrUl9aoaN6dMU27MyNw2e9ObxiFlWukA+dEoBpck6Co:VKrb6bmw2mOliFlWuQxpcN

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mx.progiftstore.org
Port:
587
Username:
[email protected]
Password:
eHdixiY321

Extracted

Credentials

Protocol: smtp
Host:
mx.mannbdinfo.org
Port:
587
Username:
[email protected]
Password:
9O2sw3bc

Extracted

Credentials

Protocol: smtp
Host:
mail.jlchacha.com
Port:
587
Username:
[email protected]
Password:
chacha123

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
dano67

Extracted

Credentials

Protocol: smtp
Host:
autismplus.com.au
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
DEC1564

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Gto6766

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
hYN2mU67!

Extracted

Credentials

Protocol: smtp
Host:
mx.giochi0.it
Port:
587
Username:
[email protected]
Password:
Barcellona28

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.ne.jp
Port:
587
Username:
[email protected]
Password:
19711229

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
110110Jp

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
eagle1

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
gloria02151

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Taylor5bob

Extracted

Credentials

Protocol: smtp
Host:
mx.nikeshoesoutletforsale.com
Port:
587
Username:
[email protected]
Password:
dsfsdfede2022

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
Parola12

Extracted

Credentials

Protocol: smtp
Host:
smtp.terre-net.fr
Port:
587
Username:
[email protected]
Password:
s2l81290

Extracted

Credentials

Protocol: smtp
Host:
mx.fkksol.com
Port:
587
Username:
[email protected]
Password:
Cucuzq7p

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
medomak4554!medomak4554!123

Extracted

Credentials

Protocol: smtp
Host:
mx.websitebod.com
Port:
587
Username:
[email protected]
Password:
tTisf7i32wy

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
rideboard1

Extracted

Credentials

Protocol: smtp
Host:
void.blackhole.mx
Port:
587
Username:
[email protected]
Password:
super6

Extracted

Credentials

Protocol: smtp
Host:
hcmp.co.kr
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.websitebod.com
Port:
587
Username:
[email protected]
Password:
eHdixiY

Extracted

Credentials

Protocol: smtp
Host:
mx.uvvc.info
Port:
587
Username:
[email protected]
Password:
663765335226

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
barbbite

Extracted

Credentials

Protocol: smtp
Host:
romanov.ca
Port:
587
Username:
[email protected]
Password:
jasper

Extracted

Credentials

Protocol: smtp
Host:
autismplus.com.au
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.homtail.co.uk
Port:
587
Username:
[email protected]
Password:
s1zzle

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
4Jr4xr8ekq&

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
honda91

Extracted

Credentials

Protocol: smtp
Host:
mx.fkksol.com
Port:
587
Username:
[email protected]
Password:
6YKeuo3A

Extracted

Credentials

Protocol: smtp
Host:
hcmp.co.kr
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
wightman.ca
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Insanity1

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Loukasd12

Extracted

Credentials

Protocol: smtp
Host:
mail.jbc.co.jp
Port:
587
Username:
[email protected]
Password:
Take0912

Extracted

Credentials

Protocol: smtp
Host:
mx.ertemaik.com
Port:
587
Username:
[email protected]
Password:
zq15VjBo

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

5.42.65.64

Targets

- Target
  
  3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
- Size
  
  1.8MB
- MD5
  
  2307c3f2702a53fdc03bf2f05fe51a25
- SHA1
  
  5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
- SHA256
  
  3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
- SHA512
  
  14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
- SSDEEP
  
  49152:VKrUl9aoaN6dMU27MyNw2e9ObxiFlWukA+dEoBpck6Co:VKrb6bmw2mOliFlWuQxpcN
Score

10^/10

amadey gcleaner glupteba redline xmrig zgrat 1 discovery dropper evasion execution infostealer loader miner persistence rat rootkit spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Contacts a large (764) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2