amadey

Sharing

General

Target

safe-archive.zip
Size

4.8MB
Sample

240718-zjtsqavhqn
MD5

2f838b4b93bb8f6854091ffd8caa7c67
SHA1

8f6915a442553cf4a523de6fca81e8ca1ebfdcbf
SHA256

0b40e067825d95257e9f01da86a935b476bf5b71ff1a0b7eced19bddac0871d5
SHA512

a0a8dadf74cb37ba1e3c96c61942ee54a74621875897adf2bfef2e8225a71b3655ae9e9988c472a00d8b1accc456bfd399db4afc0cfb9d5c171e3251af001d3f
SSDEEP

98304:60TlR8zcXvL32lYTQRLVN0GAr1YS3A0xBlrEYEYS/9dHHiItQu:6c+ULmlYTC30G+JwEWB/9dbQu

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

risepro

194.110.13.70

77.105.133.27

Targets

- Target
  
  setup.exe
- Size
  
  797.3MB
- MD5
  
  2fdc57bec904320dab309bad532a3bdc
- SHA1
  
  c135c491fbbe7aec5db89965fa107269865cf311
- SHA256
  
  cd6e0368e70f620afff7945a611b787ac9c07a53bfa5aa38cd061e91a78f3588
- SHA512
  
  ee5f4a35467dcfab6ddb9d4a42074ed8fa9ce64b4c35f1c27d5b109d591a0708566dd41b646c46d18fbdc7edbb43fd4979f53d184b22de493eb62ffaa0ef783a
- SSDEEP
  
  98304:+0qckZwQWXPDfYi7BMDA++4KwJ/WLxnDY+1bnl/ZQ:zB/Df7FMc+l/YLNUebl
Score

10^/10

amadey privateloader redline risepro tofsee 4dd39d logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer loader persistence privilege_escalation spyware stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies firewall policy service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix

Tasks

static1

Score

3^/10

behavioral1

amadeyprivateloaderredlineriseprotofsee4dd39dlogsdiller cloud (tg: @logsdillabot)discoveryevasionexecutioninfostealerloaderpersistenceprivilege_escalationspywarestealerthemidatrojan

Score

10^/10

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Modifies firewall policy service

PrivateLoader

RedLine

RedLine payload

RisePro

Tofsee

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Sets service image path in registry

Stops running service(s)

Checks BIOS information in registry

Drops startup file

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Themida packer

Unexpected DNS network traffic destination

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Power Settings

AutoIT Executable

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1