amadey

General

Target

43c51e432dfddac2930674c7f20cc00775d6af8af821aa3764b4bca9729ae815
Size

1.8MB
Sample

240516-1q5z1aac33
MD5

9dac1454b2e782ee490cf0ded37abb62
SHA1

3b5b6e0d822c2583ed47961a23b6140dd909d540
SHA256

43c51e432dfddac2930674c7f20cc00775d6af8af821aa3764b4bca9729ae815
SHA512

a2a70b87a98a8b7a6b259bf7e3e4c51d763bb7c0f38c03461c9480de9517f21b8897c2eee0129f2867d3f6ad19a1334bc9d6979531f84965a9b9833b00adcc0c
SSDEEP

49152:AePpHkyCwbKxH1jESmvZb2r1lcqTykUQtMWr:pl0wbKh1ASmBbzI

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

185.172.128.33:8970

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Extracted

Family

stealc

Botnet

zzvv

C2

http://23.88.106.134

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

5.42.65.64

Targets

- Target
  
  43c51e432dfddac2930674c7f20cc00775d6af8af821aa3764b4bca9729ae815
- Size
  
  1.8MB
- MD5
  
  9dac1454b2e782ee490cf0ded37abb62
- SHA1
  
  3b5b6e0d822c2583ed47961a23b6140dd909d540
- SHA256
  
  43c51e432dfddac2930674c7f20cc00775d6af8af821aa3764b4bca9729ae815
- SHA512
  
  a2a70b87a98a8b7a6b259bf7e3e4c51d763bb7c0f38c03461c9480de9517f21b8897c2eee0129f2867d3f6ad19a1334bc9d6979531f84965a9b9833b00adcc0c
- SSDEEP
  
  49152:AePpHkyCwbKxH1jESmvZb2r1lcqTykUQtMWr:pl0wbKh1ASmBbzI
Score

10^/10

amadey gcleaner glupteba redline stealc xmrig 1 @cloudytteam c767c0 zzvv dropper evasion execution infostealer loader miner persistence stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- XMRig Miner payload
  miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2