amadey

General

Target

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Size

424KB
Sample

240619-b6jn9swcnl
MD5

13e5872e9b7c47090e035dc228c5589f
SHA1

c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512

260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
SSDEEP

6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

b90491

C2

http://o7labs.top

Attributes

install_dir
5641a448ac
install_file
Hkbsse.exe
strings_key
6ca55fed034d4e76c257fcff1c461762
url_paths
/visual/skins/index.php

rc4.plain

Targets

- Target
  
  d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
- Size
  
  424KB
- MD5
  
  13e5872e9b7c47090e035dc228c5589f
- SHA1
  
  c55a9708091f19b5fc5baf7c37beb99d8d3bf760
- SHA256
  
  d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
- SHA512
  
  260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
- SSDEEP
  
  6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz
Score

10^/10

amadey redline xmrig b90491 discovery evasion execution infostealer miner persistence spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2