amadey

Sharing

General

Target

tmp
Size

246KB
Sample

230111-l8tblaff6w
MD5

3eecba3432844005979be2167cd672c2
SHA1

81a6e2267bed7b56d3b55ce04c22ddb67c25376b
SHA256

33520cb1209409f60c2feb681777e52f315152ff2f14af1c59e7001b0c21f945
SHA512

5e9bf92a66d413597a5f398e0f16eb80e52cf524a86210889f97cc27ab9d1c19a8cc9b3a5bdce019e4eca409ec9c908c7328e83b29db51a0d978f1dbd65db169
SSDEEP

6144:ZNN2muvegDd73GS1NXZX6zlvKoWFu7u1yi5/KQNvR:LXgZDGSxWl5W6u1yEZ

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.65

62.204.41.151/8vcWxwwx3/index.php

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

redline

Botnet

shura

62.204.41.211:4065

Attributes

auth_value
2f02f1c9ca2536317ad1d99107fe7cf1

Extracted

Family

redline

Botnet

Na//skopro1111

82.115.223.15:15486

Attributes

auth_value
9e531151215f909c3107ffacf9428c11

Extracted

Family

redline

195.201.30.165:26489

sosharestelen.shop:80

Attributes

auth_value
ccbaec00f636c70edb4c46740e6bb1c9

Extracted

Family

redline

Botnet

debra

62.204.41.211:4065

Attributes

auth_value
24df232a5a333f96ae6fb8b270fed1ff

Extracted

Family

amadey

Version

3.63

62.204.41.91/8kcnjd3da3/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

Vix

116.203.68.191:37237

Attributes

auth_value
f635a2be7f155e9f45a51f0b602dad49

Extracted

Family

redline

Botnet

Sin json

198.37.105.211:44443

Attributes

auth_value
d9118d3342eaa56e58d4e53843b507bc

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/adwwe09/

Targets

- Target
  
  tmp
- Size
  
  246KB
- MD5
  
  3eecba3432844005979be2167cd672c2
- SHA1
  
  81a6e2267bed7b56d3b55ce04c22ddb67c25376b
- SHA256
  
  33520cb1209409f60c2feb681777e52f315152ff2f14af1c59e7001b0c21f945
- SHA512
  
  5e9bf92a66d413597a5f398e0f16eb80e52cf524a86210889f97cc27ab9d1c19a8cc9b3a5bdce019e4eca409ec9c908c7328e83b29db51a0d978f1dbd65db169
- SSDEEP
  
  6144:ZNN2muvegDd73GS1NXZX6zlvKoWFu7u1yi5/KQNvR:LXgZDGSxWl5W6u1yEZ
Score

10^/10

amadey eternity redline @redlinevip cloud (tg: @fatherofcarders)debra na//skopro1111 shura sin json vix collection discovery infostealer persistence spyware stealer trojan socelars microsoft phishing
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Eternity
  Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
  eternity
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Eternity

RedLine

RedLine payload

Socelars

Socelars payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Modifies Installed Components in the registry

Checks computer location settings

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2