amadey

Sharing

Copy URL

Twitter E-mail

General

Target

5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830
Size

5.3MB
Sample

240522-w7kyyacb4s
MD5

1396e9bf5ea34d8e976dcb161addc42c
SHA1

93860d570b718d94f053b32c65945f7176d48380
SHA256

5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830
SHA512

9e9cc252947474c5990f494136fd064c498fc240cfeea497d77f185edc6cad661a942a185d66bd7d2c563fd7c68894e2ecb01ce1584f7a538ee39b5baa8dc418
SSDEEP

98304:qlVMU2nmBPcY3/gzLs4f4Nmt1vsvMcOPBkkPskH0LNdTYVaSW2zR:jUrEoozLR4Nmt1EdOPBPsXLNkFR

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

149.202.0.242:31728

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Targets

- Target
  
  072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70
- Size
  
  662KB
- MD5
  
  c66902f6e9a67c0b03be8ee68a49e552
- SHA1
  
  c7a090905d3218b36a5b88fef0e175cb3f0560fc
- SHA256
  
  072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70
- SHA512
  
  01be3aeb2981f8f97eedb0a919408ba83be2e4a425a47fa222bc4d46b629ee8c85967d655577816888fb58c6b8b748ff2f3692ec49713f3d0d52f7f2d19ae241
- SSDEEP
  
  12288:eMrGy90N4+eOGiq9xY9vsJpsBstw6QQrpqUx3N/+Rub/lb0GVLchc:kyFpuKgBI/rp3n/1Jchc
Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5
- Size
  
  234KB
- MD5
  
  7dafcde60491fa34e526c8eaafac0f01
- SHA1
  
  d0c0ff3f2e2b66559d99dc660540f0a8dd83cc67
- SHA256
  
  075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5
- SHA512
  
  75fed00edb3d5811cf0b70b07c789f59be7aad30579779dfa70376b82268b0e52d599792b741c954c97c8d8d10100d5cee7c3835d2250023b9060c329090d14c
- SSDEEP
  
  6144:KUy+bnr+5c3pxeXjyqu+Oeu+Oeu+OeuJZp5JZp5JZp5JZp5QgwAQgwAQgwAQSp0J:IMrWc3pxeXjyqu+Oeu+Oeu+OeuJZp5JO
Score

10^/10

amadey healer fb0fb8 dropper evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b
- Size
  
  1.1MB
- MD5
  
  5647ef3ba33c2200403333d17e434856
- SHA1
  
  f695d37246239fd692e7fb044ca2a02ffaa104d9
- SHA256
  
  131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b
- SHA512
  
  d85b3bf66e482e08901d56f28472bd1f75fbcd4b70b27fa0582c234d71f186518fdb57b7a9bff7ae660c8d52f6eb763a696d96a384c9562a706390c5b6c55bda
- SSDEEP
  
  24576:3yIXRcd8lQUqMEcXP8iO7Eff2+uySHr/cZb8/T3TB5:CIhcdSQt0fc+2LUZb43t
Score

10^/10

privateloader redline risepro horda infostealer loader persistence stealer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254
- Size
  
  646KB
- MD5
  
  f6b5bede9b07bfce7ac3d693d5494761
- SHA1
  
  7433b82c21237a1a65994a7ae0843d5ee891ae92
- SHA256
  
  56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254
- SHA512
  
  485a0e0c14a0fdddf9936fbb65f5202989c20f707194bc2cd0af96a08ccc173f65089805aa1287dcdb9389f968f769b91b760f9c6bee379ea8b7822badb544c2
- SSDEEP
  
  12288:7Mruy90A+LXj+ipMEl92UTVK40hxLqrNuB5sZ75Ar+P9L:Vyy6ml92Ug4SGrNuBOZ72r+L
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62
- Size
  
  377KB
- MD5
  
  92c261fc96a068ae2a2835ee27a16f1e
- SHA1
  
  75e4e65827acaa4e0faa3f42632a53e011bbbd09
- SHA256
  
  807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62
- SHA512
  
  6a1a360b8719a31d2f83ef4dfee0abae102b55ff67284b65f061fb5afddca17d8e9307d5c240f50127ebc5483d230bfb2d4bd364b2d8fddc5b3c67dd27d5ada9
- SSDEEP
  
  6144:rB8vGHJfjmufItYYFrIPU88CcRAO6O82BldTjqPQo0y:rB8v8jmufI+YMgJZBlda0y
Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed
- Size
  
  319KB
- MD5
  
  9ffe17af29c1d6b4a7c753348624c0a7
- SHA1
  
  e252ed955d1edfbc89afc53a0453b9af16b6fd4a
- SHA256
  
  8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed
- SHA512
  
  9dc8415111c176ba626eef704c4e3a4f3e2acceb46f529b359d811a6f0da154d1dd650493f0da812c38758ee5cb954ad3a88441e1bec0a5c987a5d3ebd9095ea
- SSDEEP
  
  6144:K8y+bnr+yp0yN90QEFrKEP3ve7yRfsK6KRFjEXtaBv7yZez3x81WO6:UMrGy90LKU/e7RK6KRdEXYp7YezB8kl
Score

10^/10

amadey mystic 59b440 persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a
- Size
  
  254KB
- MD5
  
  6c76dfb25714e5941d70f7a275e75e5d
- SHA1
  
  5ed48c3c57d1abeece0b35d7bb85a6bf71ab385b
- SHA256
  
  8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a
- SHA512
  
  2aff7b21be560dcfeeafc9f7ed1ab0a1e10ebc2a0363a656e880d05e0c7f20030a8d44926ad72f395632ecd8bf441fe71538c81e7520d73bacf85017ab0f0d97
- SSDEEP
  
  3072:gHvq+7xq+eNvu2U1GA0B+t+ieyOR/VCY0rJ25o3BcJTcVVeosbVFlb9eAg0FujDL:gTD2Lr/V90d2WxjV/hAOIKVg/oPGCV
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of SetThreadContext
behavioral8 behavioral9
- Target
  
  d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34
- Size
  
  805KB
- MD5
  
  7aeb09bb57206fc4c34cdceccc7ab340
- SHA1
  
  270c694409562e116dcdd44c5ce63b2a4f8bdccb
- SHA256
  
  d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34
- SHA512
  
  bd548655a57783f2c34ba4c11bc595112840266de1d68f939e888b399a3329cce74d604de6bc0f9efd47c292d5804d76307c520aede442378893c4828ee3d619
- SSDEEP
  
  12288:qMrsy903vnIAAzzFM8VzjAJNRK47lnoj8eI4BOx4aBFrx9OX2EkDWWSMEidlk:SyyPIdzzW8psxLxno49N9CGpitb
Score

10^/10

amadey redline 59b440 mrak evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365
- Size
  
  1.6MB
- MD5
  
  8730beb5e0481f045236541cbf84b0a6
- SHA1
  
  8e44b7bd8462feb51c116ab72cf6bb460f2c5ee4
- SHA256
  
  e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365
- SHA512
  
  2da9d6a2bec2b33332ae4c0a5739cc5fd19a4c2f011bb28f3c69eed8ca654336c570526ffc7b2530637577dce49e98a54f3512069212acd0dd16a323242c8b40
- SSDEEP
  
  24576:GyWdCALxR5STmSCSGz9FUkJ4RNGAWei3u7A2Lj2zPYTf8tAjbg:VWdCAfISSq7TAQIA2Lj2jKIA
Score

10^/10

amadey mystic redline smokeloader 04d170 grome backdoor evasion infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

PrivateLoader

RedLine

RedLine payload

RisePro

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

RedLine

RedLine payload

Suspicious use of SetThreadContext

Amadey

Detect Mystic stealer payload

Mystic

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

SmokeLoader

Suspicious use of SetThreadContext

Amadey

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Amadey

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

RedLine

RedLine payload

SmokeLoader

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4