amadey | 5ad5cf6876d842ee0910d22e8bd596b05f5e0d84cff3593411f66ee44a8071fb | Triage

Sharing

General

Target

0b857f695ac9881c7e664fd00dffb30381bcd51a2d5a4e8e9877c142aa5774d4.zip
Size

638KB
Sample

230308-pvz4rsfh5y
MD5

2710ad6b417303d1c9019f7475c8900a
SHA1

6ac849816d32a9c806077ae20ab13edd17423949
SHA256

5ad5cf6876d842ee0910d22e8bd596b05f5e0d84cff3593411f66ee44a8071fb
SHA512

2875556d723665156fb9e4b2b26249f544dfc9af58275d8ec92539269e208a24ea606825cb1f6f1b9861a376dc6e3215212e53150f27f528f2687e9c00fa1a8a
SSDEEP

12288:4VSlq2pCZqCW3Jj9ABtWJ3p440O5NaCIwl3glr6VnyHgL7CFdwSME/W7p0AHZP/9:4U82pIlKJjeM240O5NnIwla6g+WMgW7t

Score

10^/10

amadey redline fabio evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.68

C2

193.233.20.26/Do3m4Gor/index.php

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes

auth_value
56b82736c3f56b13be8e64c87d2cf9e5

Targets

- Target
  
  0b857f695ac9881c7e664fd00dffb30381bcd51a2d5a4e8e9877c142aa5774d4.exe
- Size
  
  689KB
- MD5
  
  10586811a37e8f473466952597f98301
- SHA1
  
  7e472e3961475061394c7448febd4c77a29de022
- SHA256
  
  0b857f695ac9881c7e664fd00dffb30381bcd51a2d5a4e8e9877c142aa5774d4
- SHA512
  
  4ff79ea83f2c8c0a56c17c30fdda7015b40707bbfd7991a2422a9fd4e4bca81121e6313358ccacae75353fd77e3f40494034c92f922e70f8103e09c1be1f8c2e
- SSDEEP
  
  12288:hMrgy90duzjHoqe0pKF5f/GtiCpEmgidIP/CB/efbMdz4v:5yzjG6WdGtiCpEnidIP/CBAbM54v
Score

10^/10

amadey redline fabio evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeyredlinefabioevasioninfostealerpersistencetrojan

behavioral2

amadeyredlinefabioevasioninfostealerpersistencetrojan