amadey | a35a3a7620026d61aa7543219d494af8fedfb521056c46209a2b21e9b053a95f | Triage

Submit
Reports

Overview

overview

Static

static

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

322KB
Sample

221207-w8xdcsag3s
MD5

66f628eafb5be3ca8bcf98e0cadb2e0f
SHA1

48cf389bb91d7968084e53b91aaa4ecb8f0be134
SHA256

a35a3a7620026d61aa7543219d494af8fedfb521056c46209a2b21e9b053a95f
SHA512

dd5b549a9072076c9ae8bec337193e2ff8f231a7a29e2bf5c3f325b61efa692eff18906d5097cfc509a03a915bde496a37092f3866e7fb402e149be9ec80f8d3
SSDEEP

3072:Ta5RNcYULHoHmFygv563SHgpcEvk1MUaksFH2KsB9vcC4393ZWk4JnIBmUPgykRH:+zTicSHjMUOFdJEkc4YTO5VzeGilf

Score

10^/10

amadey redline nosh collection infostealer spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20221111-en

amadey collection spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20221111-en

amadey redline nosh collection infostealer spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.237/jg94cVd30f/index.php

Extracted

Family

redline

Botnet

nosh

C2

31.41.244.14:4683

Attributes

auth_value
7455ba4498ca1bfb73b0efbf830fb9b4

Targets

- Target
  
  file.exe
- Size
  
  322KB
- MD5
  
  66f628eafb5be3ca8bcf98e0cadb2e0f
- SHA1
  
  48cf389bb91d7968084e53b91aaa4ecb8f0be134
- SHA256
  
  a35a3a7620026d61aa7543219d494af8fedfb521056c46209a2b21e9b053a95f
- SHA512
  
  dd5b549a9072076c9ae8bec337193e2ff8f231a7a29e2bf5c3f325b61efa692eff18906d5097cfc509a03a915bde496a37092f3866e7fb402e149be9ec80f8d3
- SSDEEP
  
  3072:Ta5RNcYULHoHmFygv563SHgpcEvk1MUaksFH2KsB9vcC4393ZWk4JnIBmUPgykRH:+zTicSHjMUOFdJEkc4YTO5VzeGilf
Score

10^/10

amadey collection spyware stealer trojan redline nosh infostealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeycollectionspywarestealertrojan

behavioral2

amadeyredlinenoshcollectioninfostealerspywarestealertrojan

© 2018-2024

Terms | Privacy