amadey | 7df868b54ba4b1fe76d72e39d4586e7bfacd687956082429ed9bab6c8e8faab3 | Triage

Sharing

General

Target

a9e69c61ca556674ed5b73fd40e425f2ef93d0f201d1e710fb9b8104ae727199.zip
Size

640KB
Sample

230308-pv8e5sfh6v
MD5

855b2bda83d2c4ac8c41fe8a33a42afb
SHA1

55215b9b331b14e662b133e1892e4956481fc466
SHA256

7df868b54ba4b1fe76d72e39d4586e7bfacd687956082429ed9bab6c8e8faab3
SHA512

4f0a052d6fddd8442263a3bdd0074161651281e8030eeebbb702599f220f6d52567a6f4d66517b1a2366b52448cb5b3a340866919c743d21a3bd233ac6db769a
SSDEEP

12288:V1WFR8sBuE8gXys+/kYUsDvfkZrh3LVA0Pin9zscllisoU8J:GrTBukyfk1sTkZrh3LOwg9Qibod

Score

10^/10

amadey redline fabio evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.68

C2

193.233.20.26/Do3m4Gor/index.php

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes

auth_value
56b82736c3f56b13be8e64c87d2cf9e5

Targets

- Target
  
  a9e69c61ca556674ed5b73fd40e425f2ef93d0f201d1e710fb9b8104ae727199.exe
- Size
  
  691KB
- MD5
  
  07be2ad3e9d59c4d1abe879eefa5828a
- SHA1
  
  c23109225e824863a198df9f5b5231e93414c266
- SHA256
  
  a9e69c61ca556674ed5b73fd40e425f2ef93d0f201d1e710fb9b8104ae727199
- SHA512
  
  5731bf4d5f95e7e0796c6522abd0723adf331cbee22b543a4935fc3c16651b82e8b692692b8159475654aeccff8cdc910d8767bcfc312af89199b0b5359c2a66
- SSDEEP
  
  12288:8Mr8y90LPGazvF3Yores7q1Gw0oE5FwLw2YFKBisGy64rPYSbN15PKcGV6bOd:QysdztIvpCo0iwRDy7gSbNjPnGVzd
Score

10^/10

amadey redline fabio evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeyredlinefabioevasioninfostealerpersistencetrojan

behavioral2

amadeyredlinefabioevasioninfostealerpersistencetrojan