amadey

Sharing

General

Target

1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b
Size

1.8MB
Sample

240908-t18ejswcql
MD5

c48e96d00170275b32ae17595253db8b
SHA1

4c5406257dfa38f1f5e9581cff8f8abf0e3166aa
SHA256

1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b
SHA512

1ee4dcccc16a087d4c03b4c742cc9e0108ab9cd72dc94cde8fc55e85e3f164a973c4cacd1b0ef36e808c4fc6bbe0a56edffaab8f782cf8c0ecf94435a225be74
SSDEEP

49152:PhIHb/bSc6IcrHCgMItXHm+b5EDFGlxqV0:JIb/bSXIczCyVRb2DFq

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

cryptbot

fivev5sb.top

sevtv17sb.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Extracted

Family

gcleaner

80.66.75.114

45.91.200.135

Targets

- Target
  
  1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b
- Size
  
  1.8MB
- MD5
  
  c48e96d00170275b32ae17595253db8b
- SHA1
  
  4c5406257dfa38f1f5e9581cff8f8abf0e3166aa
- SHA256
  
  1437c09ded51ca0efb236f5f45ec9fe4b8b63ea9a3aac43edcea2fa13772120b
- SHA512
  
  1ee4dcccc16a087d4c03b4c742cc9e0108ab9cd72dc94cde8fc55e85e3f164a973c4cacd1b0ef36e808c4fc6bbe0a56edffaab8f782cf8c0ecf94435a225be74
- SSDEEP
  
  49152:PhIHb/bSc6IcrHCgMItXHm+b5EDFGlxqV0:JIb/bSXIczCyVRb2DFq
Score

10^/10

amadey cryptbot redline stealc @cloudytteam default2 fed3aa livetraffic credential_access discovery evasion infostealer spyware stealer trojan gcleaner loader
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

CryptBot

GCleaner

RedLine

RedLine payload

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2