amadey | 32ffc42efc44eab9be45965aefc1e6207db387690f00dff10a25b3b2a6cc765f | Triage

Sharing

Copy URL Twitter E-mail

General

Target

32ffc42efc44eab9be45965aefc1e6207db387690f00dff10a25b3b2a6cc765f
Size

796KB
Sample

230211-kh6zbsbf37
MD5

9e8d11681ebdd084702e544a34693445
SHA1

9ef6a1c1642d14c2eba42258282ae32c9a6d1475
SHA256

32ffc42efc44eab9be45965aefc1e6207db387690f00dff10a25b3b2a6cc765f
SHA512

015b32490a0b4043c57b01720eac81a6f7746bb1eb5020034a3a1cb691ccc1161e87e2b380d3943a4d8138e09da20b520f55ee6b98cc6510ce3f3eae797c1b57
SSDEEP

24576:wyucKpzeViO/XOIvGto88o1HI1WvXUUzr9DEKF:3bwe8sXOIvGto88oNZvr/xEK

Score

10^/10

amadey redline fusa discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Targets

- Target
  
  32ffc42efc44eab9be45965aefc1e6207db387690f00dff10a25b3b2a6cc765f
- Size
  
  796KB
- MD5
  
  9e8d11681ebdd084702e544a34693445
- SHA1
  
  9ef6a1c1642d14c2eba42258282ae32c9a6d1475
- SHA256
  
  32ffc42efc44eab9be45965aefc1e6207db387690f00dff10a25b3b2a6cc765f
- SHA512
  
  015b32490a0b4043c57b01720eac81a6f7746bb1eb5020034a3a1cb691ccc1161e87e2b380d3943a4d8138e09da20b520f55ee6b98cc6510ce3f3eae797c1b57
- SSDEEP
  
  24576:wyucKpzeViO/XOIvGto88o1HI1WvXUUzr9DEKF:3bwe8sXOIvGto88oNZvr/xEK
Score

10^/10

amadey redline fusa discovery infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinefusadiscoveryinfostealerpersistencespywarestealertrojan