amadey | ca014233be75c395b673c5bd7a6a7e6e3a6aeba50201ff8f095295429d256045 | Triage

Sharing

General

Target

ca014233be75c395b673c5bd7a6a7e6e3a6aeba50201ff8f095295429d256045
Size

1.4MB
Sample

230414-t9yayacc5v
MD5

1802ffc0bd3194a09cdf196c9268afe0
SHA1

9d7533fd74bfbe192f14cb02a4fe695e92433abf
SHA256

ca014233be75c395b673c5bd7a6a7e6e3a6aeba50201ff8f095295429d256045
SHA512

5cd052e5aa6e98e9a7c1f2b92aac32cff2b1d4ebcf93c306eb377b308c15d0e5cdb53b8c0e5f22a1127749b79af3b5349ed6678ff8ba2bd9c000abd361bb21f0
SSDEEP

24576:TyTJcuyRbxPin/lQ9y0iF2KjN+DtRitNow23h+mjdgAxE:mTJgPi/OiQmqT/

Score

10^/10

amadey redline soft evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

soft

C2

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

amadey

Version

3.70

C2

193.201.9.43/plays/chapter/index.php

Targets

- Target
  
  ca014233be75c395b673c5bd7a6a7e6e3a6aeba50201ff8f095295429d256045
- Size
  
  1.4MB
- MD5
  
  1802ffc0bd3194a09cdf196c9268afe0
- SHA1
  
  9d7533fd74bfbe192f14cb02a4fe695e92433abf
- SHA256
  
  ca014233be75c395b673c5bd7a6a7e6e3a6aeba50201ff8f095295429d256045
- SHA512
  
  5cd052e5aa6e98e9a7c1f2b92aac32cff2b1d4ebcf93c306eb377b308c15d0e5cdb53b8c0e5f22a1127749b79af3b5349ed6678ff8ba2bd9c000abd361bb21f0
- SSDEEP
  
  24576:TyTJcuyRbxPin/lQ9y0iF2KjN+DtRitNow23h+mjdgAxE:mTJgPi/OiQmqT/
Score

10^/10

amadey redline soft evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinesoftevasioninfostealerpersistencetrojan