amadey | f2529c9a8dbb8d18018aae776ed1c94df2ff571ab32017780947244b734133e2 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f2529c9a8dbb8d18018aae776ed1c94df2ff571ab32017780947244b734133e2
Size

1.2MB
Sample

230502-celvzsbc2y
MD5

ecb2988eec7a7335a79d26912a343ec1
SHA1

577ec96fe15c252307e5f69393828d4580cceb4f
SHA256

f2529c9a8dbb8d18018aae776ed1c94df2ff571ab32017780947244b734133e2
SHA512

2baf55d2327ba8f4201050bf5e22064fc2737d232750a20865f50f48a8b3f809e68ee2eab7ed95f71abbeb1dbf967c12444221720210878c9daaf30c10f9f42c
SSDEEP

24576:ByqmWizYPZL+CTyOgUfTAqVRImQpYnVhC1A4rydSqGBATGQ:0qaYvZgDqrW42wOB

Score

10^/10

amadey redline gena luser discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luser

C2

185.161.248.73:4164

Attributes

auth_value
cf14a84de9a3b6b7b8981202f3b616fb

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

- Target
  
  f2529c9a8dbb8d18018aae776ed1c94df2ff571ab32017780947244b734133e2
- Size
  
  1.2MB
- MD5
  
  ecb2988eec7a7335a79d26912a343ec1
- SHA1
  
  577ec96fe15c252307e5f69393828d4580cceb4f
- SHA256
  
  f2529c9a8dbb8d18018aae776ed1c94df2ff571ab32017780947244b734133e2
- SHA512
  
  2baf55d2327ba8f4201050bf5e22064fc2737d232750a20865f50f48a8b3f809e68ee2eab7ed95f71abbeb1dbf967c12444221720210878c9daaf30c10f9f42c
- SSDEEP
  
  24576:ByqmWizYPZL+CTyOgUfTAqVRImQpYnVhC1A4rydSqGBATGQ:0qaYvZgDqrW42wOB
Score

10^/10

amadey redline gena luser discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinegenaluserdiscoveryevasioninfostealerpersistencespywarestealertrojan