amadey | e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec | Triage

Sharing

General

Target

0x00080000000133e1-1070.dat
Size

236KB
Sample

230401-d7j3jafg28
MD5

2fa69c60afa1edaf94cf260aefdeac71
SHA1

0ba27832d70d9cc813bb859081cd6ade8164238f
SHA256

e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec
SHA512

636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3
SSDEEP

3072:N2gKdS0PkjvF5fHdjdyhRGc6zMBdSkbcaKhSdctuVi1VWQO3eIb1NcaWVJ5L:A9d78jt5fHbyhRFMMBd/ySMuViNSc39

Score

10^/10

amadey aurora laplas redline redline clipper infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.69

C2

193.233.20.36/joomla/index.php

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

aurora

C2

212.87.204.93:8081

Extracted

Family

redline

Botnet

Redline

C2

85.31.54.183:43728

Attributes

auth_value
1666a0a46296c430de7ba5e70bd0c0f3

Targets

- Target
  
  0x00080000000133e1-1070.dat
- Size
  
  236KB
- MD5
  
  2fa69c60afa1edaf94cf260aefdeac71
- SHA1
  
  0ba27832d70d9cc813bb859081cd6ade8164238f
- SHA256
  
  e51562dd706a300010cab88c6544b3ac4a96b79418accd6cbb52a2a73aee1cec
- SHA512
  
  636cba09e7ca6a6fffaef3ce571221d418f2097aa3bff7193d13779c6aea53ddb12b0a1c27d7ab49e67aec8e28a4e9ec1f1d9fc1c2d0321bf1b2265c1b7757c3
- SSDEEP
  
  3072:N2gKdS0PkjvF5fHdjdyhRGc6zMBdSkbcaKhSdctuVi1VWQO3eIb1NcaWVJ5L:A9d78jt5fHbyhRFMMBd/ySMuViNSc39
Score

10^/10

amadey aurora laplas redline redline clipper infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyauroralaplasredlineredlineclipperinfostealerpersistencestealertrojan

behavioral2