amadey

General

Target

b85bd773d7ad0d895d6378cd58a2fe54.exe
Size

688KB
Sample

230318-nz5z5sec2z
MD5

b85bd773d7ad0d895d6378cd58a2fe54
SHA1

46e2b91271ac713a90a2d159faa303c824c9068a
SHA256

cfc45d387f1b16d885b66bffbf9d6c8f0a8ee33ae78d8bca4e0ddaf3b4f13e73
SHA512

b2ed18aef773725f3d6f3b367a8646db56d12a58ae268315ea007488f80f230d92e767119a9fd06eefff63218648b9127b4e31e7e79ab19199498bf38426686b
SSDEEP

12288:QMrPy9089tTtKfT6kJKCjZ5iEVHHkxSMAiIPCkvWDP2EVViRtFp3:PyZ9tT8fTbd5pp6ZAiIPyaqUT1

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

vint

C2

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.234:19388

Attributes

auth_value
56af49c3278d982f9a41ef2abb7c4d09

Extracted

Family

redline

Botnet

Redline

C2

85.31.54.181:43728

Attributes

auth_value
1666a0a46296c430de7ba5e70bd0c0f3

Targets

- Target
  
  b85bd773d7ad0d895d6378cd58a2fe54.exe
- Size
  
  688KB
- MD5
  
  b85bd773d7ad0d895d6378cd58a2fe54
- SHA1
  
  46e2b91271ac713a90a2d159faa303c824c9068a
- SHA256
  
  cfc45d387f1b16d885b66bffbf9d6c8f0a8ee33ae78d8bca4e0ddaf3b4f13e73
- SHA512
  
  b2ed18aef773725f3d6f3b367a8646db56d12a58ae268315ea007488f80f230d92e767119a9fd06eefff63218648b9127b4e31e7e79ab19199498bf38426686b
- SSDEEP
  
  12288:QMrPy9089tTtKfT6kJKCjZ5iEVHHkxSMAiIPCkvWDP2EVViRtFp3:PyZ9tT8fTbd5pp6ZAiIPyaqUT1
Score

10^/10

amadey redline rhadamanthys @redlinevipchat cloud (tg: @fatherofcarders)redline vint discovery evasion infostealer persistence spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect rhadamanthys stealer shellcode
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Downloads MZ/PE file
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2