amadey | 024bfe0a05c6e6790d67c8e32e075fa551a1bb0bec80d53f293b105d5ac29f05 | Triage

Sharing

General

Target

024bfe0a05c6e6790d67c8e32e075fa551a1bb0bec80d53f293b105d5ac29f05
Size

489KB
Sample

230509-1f7e3seb56
MD5

a1797d59ef1c52c65f288814c5e44f89
SHA1

46a4eb275de1150c003ebe77cbac330600e88ade
SHA256

024bfe0a05c6e6790d67c8e32e075fa551a1bb0bec80d53f293b105d5ac29f05
SHA512

f6c7f23ed8b41e9ec1ca6b0af9f3faf3e1b3f777401e8e95b3ad7732759395cec0f8e39fd1873f615ad621b1d7cb411555f6a88e3c3c7a7bfb1bb5c4e9daf74a
SSDEEP

12288:FMrRy90lwiX9hCbNkXpvOoBoLSXObWswV2hVShf:Myy/99Zv0LDzef

Score

10^/10

amadey redline lulsa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lulsa

C2

217.196.96.101:4132

Attributes

auth_value
2bb8e3870ce0ad119d2840b124222121

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

- Target
  
  024bfe0a05c6e6790d67c8e32e075fa551a1bb0bec80d53f293b105d5ac29f05
- Size
  
  489KB
- MD5
  
  a1797d59ef1c52c65f288814c5e44f89
- SHA1
  
  46a4eb275de1150c003ebe77cbac330600e88ade
- SHA256
  
  024bfe0a05c6e6790d67c8e32e075fa551a1bb0bec80d53f293b105d5ac29f05
- SHA512
  
  f6c7f23ed8b41e9ec1ca6b0af9f3faf3e1b3f777401e8e95b3ad7732759395cec0f8e39fd1873f615ad621b1d7cb411555f6a88e3c3c7a7bfb1bb5c4e9daf74a
- SSDEEP
  
  12288:FMrRy90lwiX9hCbNkXpvOoBoLSXObWswV2hVShf:Myy/99Zv0LDzef
Score

10^/10

amadey redline lulsa discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinelulsadiscoveryevasioninfostealerpersistencespywarestealertrojan