amadey | 0fe8bfa751332312a2e3d3626981385b4820a62ce14d17a08fbe9067a3ebcb05 | Triage

Sharing

General

Target

0fe8bfa751332312a2e3d3626981385b4820a62ce14d17a08fbe9067a3ebcb05
Size

1.1MB
Sample

230210-z25b6sdc85
MD5

27bfb8361ccae6f508d3ed90a2571edb
SHA1

960d79406e617d631804b818fb83a389a88e4e7b
SHA256

0fe8bfa751332312a2e3d3626981385b4820a62ce14d17a08fbe9067a3ebcb05
SHA512

ee3b43a23c555e3b8a9396b7c1d30b49235fa1edfbd7e5ca971bfbf10d8f6e90b692adfa4ea0ae4cbd1ff416d3b0f33d6b1e4d3f5c760c9088e69338f3d2e388
SSDEEP

24576:LyYpwqT3XJULRIvIW8oWbTsXVciWorl7uHcAUapmtLyiVo:+kwiXJzvD8oWbYSEl7K3Bm

Score

10^/10

amadey redline dunm romik discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Extracted

Family

redline

Botnet

romik

C2

193.233.20.12:4132

Attributes

auth_value
8fb78d2889ba0ca42678b59b884e88ff

Targets

- Target
  
  0fe8bfa751332312a2e3d3626981385b4820a62ce14d17a08fbe9067a3ebcb05
- Size
  
  1.1MB
- MD5
  
  27bfb8361ccae6f508d3ed90a2571edb
- SHA1
  
  960d79406e617d631804b818fb83a389a88e4e7b
- SHA256
  
  0fe8bfa751332312a2e3d3626981385b4820a62ce14d17a08fbe9067a3ebcb05
- SHA512
  
  ee3b43a23c555e3b8a9396b7c1d30b49235fa1edfbd7e5ca971bfbf10d8f6e90b692adfa4ea0ae4cbd1ff416d3b0f33d6b1e4d3f5c760c9088e69338f3d2e388
- SSDEEP
  
  24576:LyYpwqT3XJULRIvIW8oWbTsXVciWorl7uHcAUapmtLyiVo:+kwiXJzvD8oWbYSEl7K3Bm
Score

10^/10

amadey redline dunm romik discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinedunmromikdiscoveryevasioninfostealerpersistencespywarestealertrojan