amadey

General

Target

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104
Size

1.8MB
Sample

240516-2vejaacg68
MD5

0ba8785d268e2b1ca368efbf4be11695
SHA1

7d0fc1c9e2209a18d7e4c729f026ef41d79f56dc
SHA256

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104
SHA512

a1983e94795a6fbd57c38250a1d1c7673debd39d896488dc066aaeffba95e1874662a0964a56b3145a20152a75b22bc774703f272784c0c1e93a97f528366c13
SSDEEP

24576:IvoZShk8ZTQCy+2IK75UFBVRn362jVSPwxK/okM0PVIltCKJaOOvj76iZppUDumI:IuH89QCyBqVzvwo4VITxOSFoma+q

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

185.172.128.33:8970

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Extracted

Family

stealc

Botnet

zzvv

C2

http://23.88.106.134

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

5.42.65.64

Targets

- Target
  
  31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104
- Size
  
  1.8MB
- MD5
  
  0ba8785d268e2b1ca368efbf4be11695
- SHA1
  
  7d0fc1c9e2209a18d7e4c729f026ef41d79f56dc
- SHA256
  
  31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104
- SHA512
  
  a1983e94795a6fbd57c38250a1d1c7673debd39d896488dc066aaeffba95e1874662a0964a56b3145a20152a75b22bc774703f272784c0c1e93a97f528366c13
- SSDEEP
  
  24576:IvoZShk8ZTQCy+2IK75UFBVRn362jVSPwxK/okM0PVIltCKJaOOvj76iZppUDumI:IuH89QCyBqVzvwo4VITxOSFoma+q
Score

10^/10

amadey c767c0 evasion trojan gcleaner glupteba redline stealc xmrig 1 @cloudytteam zzvv dropper execution infostealer loader miner stealer themida
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- XMRig Miner payload
  miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2