amadey

Sharing

Copy URL

Twitter E-mail

General

Target

tmp
Size

235KB
Sample

230122-t1vtfsad3s
MD5

6779cd6f17fa7536c4490cc6d72a00a0
SHA1

2976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256

b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA512

88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
SSDEEP

6144:eLUoeyDABOdDubDXqgraG0JzSRuVyL+VYjQqgE:elu0LgwJ4uVyaV+J

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.242/9vZbns/index.php

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

tanos

62.204.41.159:4062

Attributes

auth_value
bcb77cd67cf9918d25e4b6ae210a9305

Extracted

Family

redline

Botnet

re1

librchichelpai.shop:81

rniwondunuifac.shop:81

Attributes

auth_value
ed3efbb6da2413ddef90855eed83d6fa

Extracted

Family

redline

Botnet

temp999

82.115.223.9:15486

Attributes

auth_value
c12cdc1127b45350218306e5550c987e

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

vidar

Version

2.1

Botnet

701

https://t.me/jetbim2

https://steamcommunity.com/profiles/76561199471266194

Attributes

profile_id
701

Extracted

Family

redline

Botnet

zaliv

82.115.223.140:1522

Attributes

auth_value
31e625b4714b3f30195e6ec4e8d9fba4

Extracted

Family

amadey

Version

3.65

hellomr.observer/7gjD0Vs3d/index.php

researchersgokick.rocks/7gjD0Vs3d/index.php

pleasetake.pictures/7gjD0Vs3d/index.php

Extracted

Family

redline

Botnet

HYPE

38.54.125.68:21137

Attributes

auth_value
997a647ef21cafae14b1b5f887bc6208

Extracted

Family

redline

Botnet

slava

81.161.229.143:26910

Attributes

auth_value
1fa3bcfe9f552d4efe7e265b42c3ebff

Targets

- Target
  
  tmp
- Size
  
  235KB
- MD5
  
  6779cd6f17fa7536c4490cc6d72a00a0
- SHA1
  
  2976ecc0ecc2800be22fa92868c2173a44e04ee0
- SHA256
  
  b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
- SHA512
  
  88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
- SSDEEP
  
  6144:eLUoeyDABOdDubDXqgraG0JzSRuVyL+VYjQqgE:elu0LgwJ4uVyaV+J
Score

10^/10

amadey spyware stealer trojan dcrat redline vidar zingo 701 @redlinevip cloud (tg: @fatherofcarders)hype re1 slava tanos temp999 zaliv collection discovery evasion infostealer persistence rat upx vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Zingo stealer
  Zingo is an info stealer first seen in March 2022.
  stealer trojan zingo
- Zingo stealer payload
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

DcRat

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

Vidar

Zingo stealer

Zingo stealer payload

DCRat payload

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

VMProtect packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Drops desktop.ini file(s)

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2