amadey

Resubmissions

22-05-2024 00:08

240522-ae8cwaee3v 10

Sharing

Copy URL

Twitter E-mail

General

Target

NordVPN-10_11.zip
Size

217.6MB
Sample

240522-ae8cwaee3v
MD5

dc4f1a240f8a940977284ce77f876439
SHA1

6b013a62e9d0d511256f69abc4ded33c7f291772
SHA256

3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967
SHA512

f92f00734f19c669c26febe8e227d7a2f3f23b901e21c9a9ec19ad9e4aac9863c9ef32f03b8d646ec4a4e1d67769d833012698c0d720a049f0c9af342d3f29c1
SSDEEP

6291456:a74mfEYvZivD8HFBsPzmG9yGvaOBdUFyHZJMLpQm:a7fEYvRlBsPzmG9P3BdTDMLD

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

28ef06

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes

install_dir
b4e248fdbd
install_file
Dctooux.exe
strings_key
01edd7c913096383774168b5aeebc95e
url_paths
/hb9IvshS/index.php

/hb9IvshS2/index.php

/hb9IvshS3/index.php

rc4.plain

Targets

- Target
  
  Launcher.dll
- Size
  
  2KB
- MD5
  
  32e7556ff4f5256d15e1fc843cee5e3d
- SHA1
  
  b7283061428e9ca741c26dcfc3e869e2fc699f0b
- SHA256
  
  b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278
- SHA512
  
  d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e
Score

1^/10
behavioral1 behavioral2
- Target
  
  Launcher.exe
- Size
  
  364KB
- MD5
  
  93fde4e38a84c83af842f73b176ab8dc
- SHA1
  
  e8c55cc160a0a94e404f544b22e38511b9d71da8
- SHA256
  
  fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
- SHA512
  
  48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
- SSDEEP
  
  6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score

10^/10

amadey rhadamanthys 28ef06 evasion execution persistence spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  data/HzkTNOg6s1em
- Size
  
  50KB
- MD5
  
  7038dc43406aaa195889f20880cb49a4
- SHA1
  
  2d398e6d8187c33cf00d10a96ddd32fd4218d94b
- SHA256
  
  9b74b2cbc8ec3b2cfbf9f6f6c20f5f90576f8bb9c44fe5a8ed0109aa97f21bcb
- SHA512
  
  9254fc4d470cfb633b98a748993b0bbc40f0ea0c2163ca56c2b99ab3c5700e978be200c99bc9be6f516ced04331391053dbe90b03e8d8844f0edd785b82f67a7
- SSDEEP
  
  1536:gboSBtdpjqVkGRKA/hTsG7sg72LavYGWC0e+gU0:gbogtP0RKA/Jsg7KeYGKe+gU0
Score

3^/10

execution
behavioral5 behavioral6
- Target
  
  data/appInfo/UqYyr4PZlPm4
- Size
  
  150KB
- MD5
  
  97faa935235531bac529a1eb0a533df1
- SHA1
  
  0cdbcf1d9534b593a5cb33843a9e8d0445c91f97
- SHA256
  
  d8df009acf37dd59649a8f618b8e16ba67cace1746f86fab120715399f7c2890
- SHA512
  
  6d3b680de730e83921452cf48c0d11062710d26d371076a3406ab7b36294d510b47cfcae80996381c06606636637eea5a55f8d79a38ad88f4a4364d397aa0cf9
- SSDEEP
  
  3072:8FWJgA0YaAcuTjzDaa5WrTS2R+TlpFczpa9Ikmeiqe6Ix2EeJg2xb:88Fc4b4EpFczpa4+Eei2p
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  data/appInfo/Zxph8ZShJw5c
- Size
  
  110KB
- MD5
  
  5249241ac29cdb71e1b4caad76149444
- SHA1
  
  f35ec18fcdc29885b028e2d5de7305d9b62088df
- SHA256
  
  cff4d04b160809cbc331713287f910d0bfba2bab205c655e58a3c847f6229a2c
- SHA512
  
  28c51d9c9330e7e82f56362d9601ebbe2aee4ea81a6a684ce0acd4f583a17db68a580ba8e723581199904eedd4c0ef6ba8e9bd7fdd01309de39ec20c4685aeb0
- SSDEEP
  
  3072:cpKcc3xtAjk2y/x92hYpXzoLtj6u8UtQAJ7+6X6e:cpKcitAI2yHGYtzoLtjRtQAJZXJ
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  data/appInfo/services/Launhcer.dll
- Size
  
  2KB
- MD5
  
  7de0541eb96ba31067b4c58d9399693b
- SHA1
  
  a105216391bd53fa0c8f6aa23953030d0c0f9244
- SHA256
  
  934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e
- SHA512
  
  e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3
Score

1^/10
behavioral11 behavioral12
- Target
  
  data/appInfo/services/Launhcer.exe
- Size
  
  364KB
- MD5
  
  e5c00b0bc45281666afd14eef04252b2
- SHA1
  
  3b6eecf8250e88169976a5f866d15c60ee66b758
- SHA256
  
  542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
- SHA512
  
  2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387
- SSDEEP
  
  6144:+pS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYql6wrEJWPYg:+p8KLBzQ7Lcf3SiQs2FTTql9unNrkv75
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral13 behavioral14
- Target
  
  data/appInfo/services/WinRAR.exe
- Size
  
  2.1MB
- MD5
  
  f59f4f7bea12dd7c8d44f0a717c21c8e
- SHA1
  
  17629ccb3bd555b72a4432876145707613100b3e
- SHA256
  
  f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
- SHA512
  
  44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c
- SSDEEP
  
  49152:2oJAPtSHWxwJWzkDVkwg5NYUzNjteyUHBdH3y005:2ZAHWSxkfNNte9BpCN
Score

4^/10

persistence
behavioral15 behavioral16
- Target
  
  data/appInfo/services/data/Launcher.dll
- Size
  
  6KB
- MD5
  
  f58866e5a48d89c883f3932c279004db
- SHA1
  
  e72182e9ee4738577b01359f5acbfbbe8daa2b7f
- SHA256
  
  d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12
- SHA512
  
  7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177
- SSDEEP
  
  96:b0bb/xXjs8XNeWeQUjCq61hl+L08Nuz+570phTlA8cP:bC/xXo89eWidohls7wK70vTlPcP
Score

1^/10
behavioral17 behavioral18
- Target
  
  data/appInfo/services/data/Launcher.exe
- Size
  
  364KB
- MD5
  
  93fde4e38a84c83af842f73b176ab8dc
- SHA1
  
  e8c55cc160a0a94e404f544b22e38511b9d71da8
- SHA256
  
  fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
- SHA512
  
  48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
- SSDEEP
  
  6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral19 behavioral20
- Target
  
  data/appInfo/services/wget.exe
- Size
  
  4.9MB
- MD5
  
  8c04808e4ba12cb793cf661fbbf6c2a0
- SHA1
  
  bdfdb50c5f251628c332042f85e8dd8cf5f650e3
- SHA256
  
  a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272
- SHA512
  
  9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f
- SSDEEP
  
  98304:bHObnQdOb3OWEqNHeHq6PdOnS8SOGdVilQeHPpXF0aGOVxuGqYE6hpAl/70pzd+Z:bHInQ5WE2HeHq61OJSOGdVilQeHPpXFA
Score

1^/10
behavioral21 behavioral22
- Target
  
  data/tAoMyd4BMpNH
- Size
  
  20KB
- MD5
  
  4be6bf24534cfb6c0a3309b2c89fd76e
- SHA1
  
  fa5f53bad3abb3cf9ab2741d7293e89b10948061
- SHA256
  
  dcb5b0980c7892a3204cf08c61d143cc0fcfdf65607fb319dbec4911a329ecd9
- SHA512
  
  5ef457259af9d65c03d29b4414fec1d304c42f83a9e6e3164c5aa61c296d68f8a8735fc3db89939dbc51eebb421b620f2eb05d109f9b09fb41e81e9d7562c6e0
- SSDEEP
  
  384:iCesm0WsTFWIfj6d5KtzwIRqCKfHshMdWcP3p4NeL99Cv+oAEzqBjf3H6iN:iCu0L5WIUqzvwC0MhMpP3Z4zqV6iN
Score

3^/10

execution
behavioral23 behavioral24