amadey

General

Target

4774886e64f62013ff5a48effa7256ba95fb1800d887617a2686a79f7a46b745
Size

991KB
Sample

230401-mr6e9she23
MD5

b37d677ce86786af1e1db9445eaf2de7
SHA1

fc93e26640c33b4a703ce045e1f52e8d4c2a6101
SHA256

4774886e64f62013ff5a48effa7256ba95fb1800d887617a2686a79f7a46b745
SHA512

0c6cb39deeea6f898cb12410e9c6d848322e65df836ab09d926f65f4cd3a35bf20b1d5a9f296b6445b7f7c752699c180d6c8ca8d5f35dac8436b70d3501d289d
SSDEEP

24576:3ypxUGoSA33fRlx+41rhQ8Le5FYc5TQISFmHZan4C4yj:C3UHj33fnx+41NBeXYeQNE5a4C4y

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

C2

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

C2

193.233.20.36/joomla/index.php

Targets

- Target
  
  4774886e64f62013ff5a48effa7256ba95fb1800d887617a2686a79f7a46b745
- Size
  
  991KB
- MD5
  
  b37d677ce86786af1e1db9445eaf2de7
- SHA1
  
  fc93e26640c33b4a703ce045e1f52e8d4c2a6101
- SHA256
  
  4774886e64f62013ff5a48effa7256ba95fb1800d887617a2686a79f7a46b745
- SHA512
  
  0c6cb39deeea6f898cb12410e9c6d848322e65df836ab09d926f65f4cd3a35bf20b1d5a9f296b6445b7f7c752699c180d6c8ca8d5f35dac8436b70d3501d289d
- SSDEEP
  
  24576:3ypxUGoSA33fRlx+41rhQ8Le5FYc5TQISFmHZan4C4yj:C3UHj33fnx+41NBeXYeQNE5a4C4y
Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1