Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file

  • Size

    232KB

  • Sample

    221125-m2eqasca26

  • MD5

    12330934a181c655f532a245518903e0

  • SHA1

    847d9d442fbfd2d5bd70073ca4172db99dcb2a9f

  • SHA256

    f8211ce16a689baf63b208437d1d1da3afe251c3e74acd34baa3307cfeb21e86

  • SHA512

    22076fd7abf15061f354986a2e939d99defa87d33c0ef857e09577f18f99d0d1e6f966f7852f6ea6fef16ff48010acf389dac728e667005ee57fa70fc038acb2

  • SSDEEP

    3072:dI4Hxjn3JnPWZro5d5cywHYOim8M0tw1mwT/WijUTEPZEUIODsRg/zDlFi3:G+1PWEYYxM0tsmP+EoDs+Dls3

Score
10/10
amadeyredlineritchshitinfostealerpersistencespywaretrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

ritchshit

C2

94.103.183.33:80

Attributes
  • auth_value

    98c1a18edcc6e04afa19a0ee3b16a6e2

Targets

    • Target

      file

    • Size

      232KB

    • MD5

      12330934a181c655f532a245518903e0

    • SHA1

      847d9d442fbfd2d5bd70073ca4172db99dcb2a9f

    • SHA256

      f8211ce16a689baf63b208437d1d1da3afe251c3e74acd34baa3307cfeb21e86

    • SHA512

      22076fd7abf15061f354986a2e939d99defa87d33c0ef857e09577f18f99d0d1e6f966f7852f6ea6fef16ff48010acf389dac728e667005ee57fa70fc038acb2

    • SSDEEP

      3072:dI4Hxjn3JnPWZro5d5cywHYOim8M0tw1mwT/WijUTEPZEUIODsRg/zDlFi3:G+1PWEYYxM0tsmP+EoDs+Dls3

    Score
    10/10
    amadeytrojanredlineritchshitinfostealerpersistencespyware

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks