amadey

General

Target

134e949f5955a70bbd4b0514203d41f0efc5272c48268ed397e4aca3e7422795
Size

718KB
Sample

230411-ph16ascc97
MD5

7fc85b29bd0ff2051634e75688df6ff2
SHA1

cfe900ace8dcadb46f74dc5312e1493b1b4a2f74
SHA256

134e949f5955a70bbd4b0514203d41f0efc5272c48268ed397e4aca3e7422795
SHA512

e69d36480f5190f0a964abf087defa9dcd27450b0fc4999f4b98c4f881496cf9317af24ca9349fdaf46523796fbb79f47acc645f43a5899ca6d5cbcf053fa808
SSDEEP

12288:JMrNy90SQoF9PaJFPqIdTtzeHt3jyNYzzgcHemSF/8+zxMHNjcSB32sQbPAWSIJY:AyVQoF5aJFyISNzyNmzgQj+VMtjHRnQG

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

diza

C2

185.161.248.90:4125

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

amadey

Version

3.70

C2

77.91.124.207/plays/chapter/index.php

Targets

- Target
  
  134e949f5955a70bbd4b0514203d41f0efc5272c48268ed397e4aca3e7422795
- Size
  
  718KB
- MD5
  
  7fc85b29bd0ff2051634e75688df6ff2
- SHA1
  
  cfe900ace8dcadb46f74dc5312e1493b1b4a2f74
- SHA256
  
  134e949f5955a70bbd4b0514203d41f0efc5272c48268ed397e4aca3e7422795
- SHA512
  
  e69d36480f5190f0a964abf087defa9dcd27450b0fc4999f4b98c4f881496cf9317af24ca9349fdaf46523796fbb79f47acc645f43a5899ca6d5cbcf053fa808
- SSDEEP
  
  12288:JMrNy90SQoF9PaJFPqIdTtzeHt3jyNYzzgcHemSF/8+zxMHNjcSB32sQbPAWSIJY:AyVQoF5aJFyISNzyNmzgQj+VMtjHRnQG
Score

10^/10

amadey redline diza rosn discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1