amadey

General

Target

ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c
Size

1.8MB
Sample

240618-yz2ylawaqc
MD5

d933a1e34002d784b05aaf813e96bbca
SHA1

e22779e5665482f4f35fd5ab87d6075d9932b158
SHA256

ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c
SHA512

e7d2416680085f7cca918e353703d3c7087de72d17ce141db2c4eb77e1e727f195e913d4d7945908b698284bababde3a8a31367149e7f278254959e763bd4948
SSDEEP

49152:kiBbKIGjDt/gWtQ3MLeJZdbvmhS0gRAT18:j2IGdRCpbvmhS0g018

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Targets

- Target
  
  ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c
- Size
  
  1.8MB
- MD5
  
  d933a1e34002d784b05aaf813e96bbca
- SHA1
  
  e22779e5665482f4f35fd5ab87d6075d9932b158
- SHA256
  
  ef5cc39bd536f448498941d058596883d45a1f0c171ec0e6601c73d40671da3c
- SHA512
  
  e7d2416680085f7cca918e353703d3c7087de72d17ce141db2c4eb77e1e727f195e913d4d7945908b698284bababde3a8a31367149e7f278254959e763bd4948
- SSDEEP
  
  49152:kiBbKIGjDt/gWtQ3MLeJZdbvmhS0gRAT18:j2IGdRCpbvmhS0g018
Score

10^/10

amadey risepro 0e6740 collection discovery evasion persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1