amadey

General

Target

setup.exe
Size

1.0MB
Sample

230318-r1a3yace84
MD5

904fb892019411195b184f57b9f3ab97
SHA1

ea177e25a98d641d8d5c5871b57847bf53e8e785
SHA256

dc7031e737147d743c68465049a19b97be1cac8e93b35dda9b4c603e05b68895
SHA512

da223d1795a941aa5affc99afeb9732e7088d4e38667f6bd34695350a1ace677be9c0ea17b92f20fd45c5b676301f47b126efdc063b9ece56230f2afa7685504
SSDEEP

24576:Dy9DDp0+N059pQH/BxgwWOjcmd2PU1wzDzpR:WZt0++9a/BxgwWOjcq1G

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

C2

193.233.20.30:4125

Attributes

auth_value
fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

@REDLINEVIPCHAT Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.234:19388

Attributes

auth_value
56af49c3278d982f9a41ef2abb7c4d09

Extracted

Family

redline

Botnet

Redline

C2

85.31.54.181:43728

Attributes

auth_value
1666a0a46296c430de7ba5e70bd0c0f3

Targets

- Target
  
  setup.exe
- Size
  
  1.0MB
- MD5
  
  904fb892019411195b184f57b9f3ab97
- SHA1
  
  ea177e25a98d641d8d5c5871b57847bf53e8e785
- SHA256
  
  dc7031e737147d743c68465049a19b97be1cac8e93b35dda9b4c603e05b68895
- SHA512
  
  da223d1795a941aa5affc99afeb9732e7088d4e38667f6bd34695350a1ace677be9c0ea17b92f20fd45c5b676301f47b126efdc063b9ece56230f2afa7685504
- SSDEEP
  
  24576:Dy9DDp0+N059pQH/BxgwWOjcmd2PU1wzDzpR:WZt0++9a/BxgwWOjcq1G
Score

10^/10

amadey redline rhadamanthys @redlinevipchat cloud (tg: @fatherofcarders)gena redline vint discovery evasion infostealer persistence spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect rhadamanthys stealer shellcode
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Downloads MZ/PE file
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2