amadey

General

Target

935c8459f31edb0ec9be0e6ce3cb53ab.exe
Size

1013KB
Sample

230324-t4s42afe72
MD5

935c8459f31edb0ec9be0e6ce3cb53ab
SHA1

ea766a0431c3dc91336432d0ff7b26e45d5bacf9
SHA256

74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a
SHA512

969c42a0f20c7d68dd5dc52cdedeaedca5783e650bfee43e823b049b85e1c47885cc655cc5cf58abafdad9a23c388f016c0552fc7e30a74a2ca19a52faff9c5b
SSDEEP

24576:2yyuQU6oDHu7pQLRBOrFPkVfovB1NcwWVM:FyuQkHforhkRoJ1NcL

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

C2

193.233.20.32:4125

Attributes

auth_value
24052aa2e9b85984a98d80cf08623e8d

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

Anh123

C2

199.115.193.116:11300

Attributes

auth_value
db990971ec3911c24ea05eeccc2e1f60

Extracted

Family

redline

Botnet

whitedoc

C2

81.161.229.143:45156

Attributes

auth_value
2020d22aaa2ecafa1b12e00dfcffae03

Targets

- Target
  
  935c8459f31edb0ec9be0e6ce3cb53ab.exe
- Size
  
  1013KB
- MD5
  
  935c8459f31edb0ec9be0e6ce3cb53ab
- SHA1
  
  ea766a0431c3dc91336432d0ff7b26e45d5bacf9
- SHA256
  
  74faa2ec8f6fb1ab3d84f5a14824e4d58d0cc5d610021f5edf250184de062e0a
- SHA512
  
  969c42a0f20c7d68dd5dc52cdedeaedca5783e650bfee43e823b049b85e1c47885cc655cc5cf58abafdad9a23c388f016c0552fc7e30a74a2ca19a52faff9c5b
- SSDEEP
  
  24576:2yyuQU6oDHu7pQLRBOrFPkVfovB1NcwWVM:FyuQkHforhkRoJ1NcL
Score

10^/10

amadey redline anh123 boris lida whitedoc discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2