amadey

Sharing

General

Target

e04afeeb6bb46b372bc1d7c2e2f25ead.exe
Size

1.9MB
Sample

240727-d6gk1svdlq
MD5

e04afeeb6bb46b372bc1d7c2e2f25ead
SHA1

684d7f3cf0f8f94b1a58b39a97fd2f8f37f4a380
SHA256

71db154390c24f07114784bf363d39dac8f1699c517064327724f83ca4acdfb9
SHA512

96892cf42b70716a104841f707f263c2aa03a2d7e948b469f1200ddc1abd37ed3e489cb27731c646bd0787c18980cd947328a3c0cfa1432b9cd23435b5cb7689
SSDEEP

49152:aWzMb/x6nIJ70S13/CgE1/wfjajqg60t3PwB/c2DG7QXc6cnS2:koW136RJ/O+RPwhvDGsXuS

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

sila

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

QLL

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

redline

Botnet

25072023

185.215.113.67:40960

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Targets

- Target
  
  e04afeeb6bb46b372bc1d7c2e2f25ead.exe
- Size
  
  1.9MB
- MD5
  
  e04afeeb6bb46b372bc1d7c2e2f25ead
- SHA1
  
  684d7f3cf0f8f94b1a58b39a97fd2f8f37f4a380
- SHA256
  
  71db154390c24f07114784bf363d39dac8f1699c517064327724f83ca4acdfb9
- SHA512
  
  96892cf42b70716a104841f707f263c2aa03a2d7e948b469f1200ddc1abd37ed3e489cb27731c646bd0787c18980cd947328a3c0cfa1432b9cd23435b5cb7689
- SSDEEP
  
  49152:aWzMb/x6nIJ70S13/CgE1/wfjajqg60t3PwB/c2DG7QXc6cnS2:koW136RJ/O+RPwhvDGsXuS
Score

10^/10

amadey stealc 0657d1 sila discovery evasion persistence stealer trojan exelastealer redline 25072023 fed3aa livetraffic qll collection defense_evasion infostealer pyinstaller
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2