amadey

General

Target

69f302a7eee65729f07618d57c39f954e5dbde0ecf41b9b0012a4c3682711263
Size

163KB
Sample

221129-2zz1saaf6x
MD5

5ab04664c1afebe0140950819a0662aa
SHA1

fec4bb5d57c71acd27793ed45cebff80a4c57c3c
SHA256

0899f34d72a6889d10017136246ca4969a57c7fa6c0198bd973639b945be3292
SHA512

ac022126464de568ec54e7a06bd6d89bb947c1bc137b0190769bc92930977e545fede2324bb7ce5611ec9dfb4b1d1ff770fa59f81c244179075c909335eaeb39
SSDEEP

3072:9xL1+BTV3eAfky9G+D1vCcCOeviVJ9kjhnM2PJ9OWnisWUA:8ZeAfd9LPAab9kjhM2Wzd

Score

10^/10

amadey redline @redlinevip cloud (tg: @fatherofcarders)lege new2811 slov collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

62.204.41.252/nB8cWack3/index.php

Extracted

Family

redline

Botnet

slov

C2

31.41.244.14:4694

Attributes

auth_value
a4345b536a3d0d0e8e81ef7e5199d6d0

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

Botnet

new2811

C2

jamesmillion.xyz:15772

Attributes

auth_value
86a08d2c48d5c5db0c9cb371fb180937

Extracted

Family

redline

Botnet

Lege

C2

31.41.244.14:4694

Attributes

auth_value
096090aaf3ba0872338140cec5689868

Targets

- Target
  
  69f302a7eee65729f07618d57c39f954e5dbde0ecf41b9b0012a4c3682711263
- Size
  
  206KB
- MD5
  
  b8f1431509582798dbc86ad48dc29d02
- SHA1
  
  ba44150969065a9e60ac03625287584bf2978a7e
- SHA256
  
  69f302a7eee65729f07618d57c39f954e5dbde0ecf41b9b0012a4c3682711263
- SHA512
  
  1bcdd40cd256d6dc5dae963e6023b5015be2d97c89b9277f9d9ff8a5bff6c322c73f99e7869b0297a8687c3152190069c32179ba04f2ca33ee2b68aefbf234bc
- SSDEEP
  
  3072:xaRCh82CnttAv5Vh7eAfky9G+D1vCcCOeviVJ9kjfnM2PJ9OW15+K37O:yU82CttU7eAfd9LPAab9kjfM2T3
Score

10^/10

amadey redline @redlinevip cloud (tg: @fatherofcarders)lege new2811 slov collection discovery infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2