amadey

General

Target

file.exe
Size

946KB
Sample

230217-efmj1sdf56
MD5

59b322fb0c34d973879140981c610a59
SHA1

32df0c183fcde846153f3759fe9bbf6064c56b6c
SHA256

6639844cb33e78efc5093408048255bd1f673488be72e9c70d965847425b5d10
SHA512

36baae3069b8759173fea9a643297fa62b32382775f657d70f85bcd9d3aca56c2ecb524767c2eb2d8fc03c3c933249239e66a67a8b68702ed0c29cfd282c59f9
SSDEEP

12288:qMrJy900ISLvRweiAs4sje4LYGU12bRoH57MVvz3TitEnvxdHGWIgBp18tFhyJUj:ry3oAQa6o8oudHGup1Te/

Score

10^/10

amadey redline ck dubka ruma discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Extracted

Family

redline

Botnet

ruma

C2

193.233.20.13:4136

Attributes

auth_value
647d00dfaba082a4a30f383bca5d1a2a

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Extracted

Family

redline

Botnet

ck

C2

176.113.115.17:4132

Attributes

auth_value
7ac4424f89748eae7f5c6a4756d89c28

Targets

- Target
  
  file.exe
- Size
  
  946KB
- MD5
  
  59b322fb0c34d973879140981c610a59
- SHA1
  
  32df0c183fcde846153f3759fe9bbf6064c56b6c
- SHA256
  
  6639844cb33e78efc5093408048255bd1f673488be72e9c70d965847425b5d10
- SHA512
  
  36baae3069b8759173fea9a643297fa62b32382775f657d70f85bcd9d3aca56c2ecb524767c2eb2d8fc03c3c933249239e66a67a8b68702ed0c29cfd282c59f9
- SSDEEP
  
  12288:qMrJy900ISLvRweiAs4sje4LYGU12bRoH57MVvz3TitEnvxdHGWIgBp18tFhyJUj:ry3oAQa6o8oudHGup1Te/
Score

10^/10

amadey redline ck dubka ruma discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2