amadey

General

Target

e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35
Size

174KB
Sample

221127-e1k7padc7x
MD5

dfb812cfa502d08200fc08c23d09ffdf
SHA1

37274abbda5c40b8dc92ba096156e84f0debfbdb
SHA256

ec2996d6cc2aff07d357719cbb7ac13400fa7e4fae7448cdd13553e357f2d104
SHA512

315dae799c9c20d76e24200bc53e38e183421cd665c383d37dd66a19c0d893dcf9064e4ca49684b65cdd16b0a6be1c542436f9346686f9d12affbed5a7712f40
SSDEEP

3072:erMT/qtAai0Z2XQv7pW1Sye/PvHXXrlkzZDQGUd2f0ES9v7tx1VXI8p4iFwmtfdj:e4qtAaDZ2X87pW1SdPPXhUQGUdYWv7j/

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

NewYear2023

C2

185.106.92.111:2510

Attributes

auth_value
99e9bde3b38509ea98c3316cc27e6106

Extracted

Family

laplas

C2

clipper.guru

Attributes

api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Targets

- Target
  
  e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35
- Size
  
  226KB
- MD5
  
  d264eff72e0fc5e1ba488a07b45b1cf7
- SHA1
  
  b1d7fd92f5eeb19b22c06bedd06dcec12b0c3823
- SHA256
  
  e577def081e7d44de97c7db5f2da1e35fbc19491d153d1ff9ddd7ebe85ee4d35
- SHA512
  
  3340cc12e2adc11d950c3f26c38f1798da7839ee7d218e99578035bb311d85d1bfd25a7b88b3b34d6f13a9975af1ddb9af6196d663c3fd944ae9b2d9670bddf5
- SSDEEP
  
  3072:6dY5qv9JuDqZzS5NdC77dDXErlkzZDQGUh2f0ES9v7tx1VXjqCafeNZeO:R4bOqZWdwyhUQGUhYWv7jzqAN
Score

10^/10

amadey laplas redline newyear2023 collection infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Laplas Clipper
  Laplas is a crypto wallet stealer with two variants written in Golang and C#.
  stealer laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
behavioral1 behavioral2