amadey

Sharing

Copy URL

Twitter E-mail

General

Target

ProtonVPN-10_11.zip
Size

23.5MB
Sample

240807-xlcwwawapa
MD5

1ef1048713ea6209343ce95354cf109b
SHA1

a51383e26cfd28b846aa106d7e7ab335186dbd18
SHA256

838ac92610147408c850191dc4d38af831391eb0013ee1342bd9a73079f632ff
SHA512

0dc2a1c756b7106a0d5eb333cbc8386b67abe16a0f5266435808c81faeb1e762345987e68447c9e49880c657daa889d63b9491e13c399f33402fbf7015d02069
SSDEEP

393216:C//BVFDhYqh1TJRQlUAhwI3ybS+E7Sh7nbhgIwLC5/aBCNE0LP2c3aBxY9r+0h/f:6hphrRZ4ShzbhgLeaBCNcFB8r3mHojV3

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

9f93a2

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42

Attributes

install_dir
3bca58cece
install_file
Hkbsse.exe
strings_key
554ac8d4ec8b2a0ead6c958fdfed18cb
url_paths
/hb9IvshS01/index.php

/hb9IvshS02/index.php

/hb9IvshS03/index.php

rc4.plain

Targets

- Target
  
  ProtonVPN-10_11/Launcher.dll
- Size
  
  2KB
- MD5
  
  32e7556ff4f5256d15e1fc843cee5e3d
- SHA1
  
  b7283061428e9ca741c26dcfc3e869e2fc699f0b
- SHA256
  
  b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278
- SHA512
  
  d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e
Score

1^/10
behavioral1
- Target
  
  ProtonVPN-10_11/Launcher.exe
- Size
  
  364KB
- MD5
  
  93fde4e38a84c83af842f73b176ab8dc
- SHA1
  
  e8c55cc160a0a94e404f544b22e38511b9d71da8
- SHA256
  
  fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
- SHA512
  
  48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
- SSDEEP
  
  6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score

10^/10

amadey rhadamanthys xmrig 9f93a2 discovery evasion execution miner persistence stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  ProtonVPN-10_11/data/appInfo/nRCRxIB7aYOV
- Size
  
  40KB
- MD5
  
  e0ff2c892f8725cea6fbe3129c34ae49
- SHA1
  
  5077794c6275552ba2a141178983d560ccbd8920
- SHA256
  
  e93a752e88297a5bb1c94a661054910b9edaba84a21f09b5ff7ace577ae59297
- SHA512
  
  d802c15b6629baa03ac8196b8472ec0c842ca41d5e235dccbb4bc5ad7cd86e6ad50380dad7cb18158177b755c8a076b200d0923eebf1036664a8ab5282bbbcc6
- SSDEEP
  
  768:quWlLBWQSU1fODSc4GO4z4i/V/Gd6dCOq8HAkL+3vKgBCP4FeTpz84vG:HWnWQSvDZ3OJi9f0fKAL3vKg0QFeTTvG
Score

3^/10

execution
behavioral3
- Target
  
  ProtonVPN-10_11/data/appInfo/services/Launhcer.dll
- Size
  
  2KB
- MD5
  
  7de0541eb96ba31067b4c58d9399693b
- SHA1
  
  a105216391bd53fa0c8f6aa23953030d0c0f9244
- SHA256
  
  934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e
- SHA512
  
  e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3
Score

1^/10
behavioral4
- Target
  
  ProtonVPN-10_11/data/appInfo/services/Launhcer.exe
- Size
  
  364KB
- MD5
  
  e5c00b0bc45281666afd14eef04252b2
- SHA1
  
  3b6eecf8250e88169976a5f866d15c60ee66b758
- SHA256
  
  542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
- SHA512
  
  2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387
- SSDEEP
  
  6144:+pS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYql6wrEJWPYg:+p8KLBzQ7Lcf3SiQs2FTTql9unNrkv75
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
behavioral5
- Target
  
  ProtonVPN-10_11/data/appInfo/services/WinRAR.exe
- Size
  
  2.1MB
- MD5
  
  f59f4f7bea12dd7c8d44f0a717c21c8e
- SHA1
  
  17629ccb3bd555b72a4432876145707613100b3e
- SHA256
  
  f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
- SHA512
  
  44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c
- SSDEEP
  
  49152:2oJAPtSHWxwJWzkDVkwg5NYUzNjteyUHBdH3y005:2ZAHWSxkfNNte9BpCN
Score

4^/10

discovery persistence
behavioral6
- Target
  
  ProtonVPN-10_11/data/appInfo/services/data/Launcher.dll
- Size
  
  6KB
- MD5
  
  a37d6bd996505a42c3f29d0ed54b9ae7
- SHA1
  
  36759677d2e52e9b75b6a6b14f4f03b0dc1b0e79
- SHA256
  
  606f3b07ef6896fd75f51bd1ca1af4ed8075b22f9ca1cf8b1a0bf5bfc6d3074a
- SHA512
  
  8a8fa253062bac723dc7cffbff199fa78f7b6975019bfbdf11372711b58f0b8d1dbe1ff574280343abf290d99210c2feb8a691d1504a11d4bd934eaaa47fd149
- SSDEEP
  
  96:n0bb/xAwcf9e6+oEjZl1r+dB88YA2TT0VA70ilMNNZno2NSQ:nC/xjcVe6qZbruBzS0e70qMNNZnRSQ
Score

1^/10
behavioral7
- Target
  
  ProtonVPN-10_11/data/appInfo/services/data/Launcher.exe
- Size
  
  364KB
- MD5
  
  93fde4e38a84c83af842f73b176ab8dc
- SHA1
  
  e8c55cc160a0a94e404f544b22e38511b9d71da8
- SHA256
  
  fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
- SHA512
  
  48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
- SSDEEP
  
  6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
behavioral8
- Target
  
  ProtonVPN-10_11/data/appInfo/services/wget.exe
- Size
  
  4.9MB
- MD5
  
  8c04808e4ba12cb793cf661fbbf6c2a0
- SHA1
  
  bdfdb50c5f251628c332042f85e8dd8cf5f650e3
- SHA256
  
  a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272
- SHA512
  
  9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f
- SSDEEP
  
  98304:bHObnQdOb3OWEqNHeHq6PdOnS8SOGdVilQeHPpXF0aGOVxuGqYE6hpAl/70pzd+Z:bHInQ5WE2HeHq61OJSOGdVilQeHPpXFA
Score

3^/10

discovery
behavioral9