amadey

General

Target

165dd59981c175dfbed0b0e798fb1c05804d4da85a81852f643b94a7ff16341d
Size

1.2MB
Sample

230505-wsh6ssca52
MD5

2da45515a17ab23ed54b0cfc0f67befb
SHA1

cf631865ba22875cb48ca1a046e582942aba795f
SHA256

165dd59981c175dfbed0b0e798fb1c05804d4da85a81852f643b94a7ff16341d
SHA512

71aaf358b7de650aa22bae520c4bf16d23cd628077d2de8dcaca8f4fbb304f2634a792645e5de057cd3f76830f02bcc690a415aca27a4c583f0e915ba80813d8
SSDEEP

24576:yybRI1Wq1DFEJSVX0yvw7Bq060+pMKgePwQRKYaaT2zOPITHuLUwEVIQ:ZbRIISaV5BZ6tM1e4Q0YaY4OPITH9I

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

217.196.96.56:4138

Attributes

auth_value
fcb02fce9bc10c56a9841d56974bd7b8

Extracted

Family

redline

Botnet

boom

C2

217.196.96.56:4138

Attributes

auth_value
1ce6aebe15bac07a7bc88b114bc49335

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

- Target
  
  165dd59981c175dfbed0b0e798fb1c05804d4da85a81852f643b94a7ff16341d
- Size
  
  1.2MB
- MD5
  
  2da45515a17ab23ed54b0cfc0f67befb
- SHA1
  
  cf631865ba22875cb48ca1a046e582942aba795f
- SHA256
  
  165dd59981c175dfbed0b0e798fb1c05804d4da85a81852f643b94a7ff16341d
- SHA512
  
  71aaf358b7de650aa22bae520c4bf16d23cd628077d2de8dcaca8f4fbb304f2634a792645e5de057cd3f76830f02bcc690a415aca27a4c583f0e915ba80813d8
- SSDEEP
  
  24576:yybRI1Wq1DFEJSVX0yvw7Bq060+pMKgePwQRKYaaT2zOPITHuLUwEVIQ:ZbRIISaV5BZ6tM1e4Q0YaY4OPITH9I
Score

10^/10

amadey redline boom lupa discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Redline Stealer samples
  This rule detects the presence of Redline Stealer samples based on their unique strings.
  stealer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2