amadey

General

Target

76a239b701073b4c51f36d90c9b4545b7d8f743abf879e0a885a4314942584bf
Size

944KB
Sample

230216-nzwfpsha6y
MD5

aaa071233ac17a44fe20ad4ec2722347
SHA1

a6683b51a0f7f1a4d106dcf786619985f063918c
SHA256

76a239b701073b4c51f36d90c9b4545b7d8f743abf879e0a885a4314942584bf
SHA512

32b00b0cdea5cedb3712ad82d1a0d87e81e42b185b470e8716f4106c421f2342b647da045bb89d0dcab3633e0c0e731bc7dbedf2d7efe1e6d2978a6ec8f72ae5
SSDEEP

12288:HMr/y90KDBm1hoyITtzO2Q07EuUDpPZCl4eW3oyPcc36u/hm0BjX5oPIYq+3xqyV:UybEhcy2QqiQs31PccnxJp2qabtWZRg

Score

10^/10

amadey redline ck dubka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Extracted

Family

redline

Botnet

ck

C2

176.113.115.17:4132

Attributes

auth_value
7ac4424f89748eae7f5c6a4756d89c28

Targets

- Target
  
  76a239b701073b4c51f36d90c9b4545b7d8f743abf879e0a885a4314942584bf
- Size
  
  944KB
- MD5
  
  aaa071233ac17a44fe20ad4ec2722347
- SHA1
  
  a6683b51a0f7f1a4d106dcf786619985f063918c
- SHA256
  
  76a239b701073b4c51f36d90c9b4545b7d8f743abf879e0a885a4314942584bf
- SHA512
  
  32b00b0cdea5cedb3712ad82d1a0d87e81e42b185b470e8716f4106c421f2342b647da045bb89d0dcab3633e0c0e731bc7dbedf2d7efe1e6d2978a6ec8f72ae5
- SSDEEP
  
  12288:HMr/y90KDBm1hoyITtzO2Q07EuUDpPZCl4eW3oyPcc36u/hm0BjX5oPIYq+3xqyV:UybEhcy2QqiQs31PccnxJp2qabtWZRg
Score

10^/10

amadey redline ck dubka discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1