amadey

General

Target

42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
Size

527KB
Sample

230205-3z9qnaeg5z
MD5

a668f43511ce53a706ff49889845e0a7
SHA1

c82d47d512eb019f95a4d7981dbf595de3978c66
SHA256

42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
SHA512

5f582fb8776becb808f58d135e21a1ed9421c305e002ea19bd4604d8b541ee3a2f204ac360c127c7f83e229615aca7838d994ebc4aabb0ae06aa5a1ef8afda4a
SSDEEP

6144:Kty+bnr+8p0yN90QEsa2csE15PmkGc0l/ZYjiZ+KmEJUas6bDNlb+8RtcZ2/71Id:nMroy90EcsSN0l/qWZt7JoQDw2F78

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Extracted

Family

redline

Botnet

ringo

C2

176.113.115.16:4122

Attributes

auth_value
b8f864b25d84b5ed5591e4bfa647cdbe

Extracted

Family

redline

Botnet

temposs6678

C2

82.115.223.9:15486

Attributes

auth_value
af399e6a2fe66f67025541cf71c64313

Extracted

Family

redline

Botnet

ringo1

C2

176.113.115.16:4122

Attributes

auth_value
373b070fb57b7689445f097000cbd6c2

Targets

- Target
  
  42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
- Size
  
  527KB
- MD5
  
  a668f43511ce53a706ff49889845e0a7
- SHA1
  
  c82d47d512eb019f95a4d7981dbf595de3978c66
- SHA256
  
  42596f7e2d1ab5a726d7e1536ad9670ee164ee25f4228480505cbdb745bfe5f6
- SHA512
  
  5f582fb8776becb808f58d135e21a1ed9421c305e002ea19bd4604d8b541ee3a2f204ac360c127c7f83e229615aca7838d994ebc4aabb0ae06aa5a1ef8afda4a
- SSDEEP
  
  6144:Kty+bnr+8p0yN90QEsa2csE15PmkGc0l/ZYjiZ+KmEJUas6bDNlb+8RtcZ2/71Id:nMroy90EcsSN0l/qWZt7JoQDw2F78
Score

10^/10

amadey redline rhadamanthys ringo ringo1 temposs6678 discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect rhadamanthys stealer shellcode
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1