amadey | 1676411d02b07b45cbe6443890a3bd0a49042357eff6360d2ecbc74efaeea731 | Triage

Sharing

General

Target

ki755705.exe
Size

983KB
Sample

230516-gty63sab3w
MD5

39ed25b320d8cd9c020b3bb634b41846
SHA1

4ada7f1947eca18f7a5f6bb945cb561bafd67de9
SHA256

1676411d02b07b45cbe6443890a3bd0a49042357eff6360d2ecbc74efaeea731
SHA512

8f0d6e114bbe570d6655218a0c293fa232af24c878cbfc6d359bd7c552f2219f7c8ae78a9899efb108f98aa43eabac84b9eb40eda254d5e8c2c483e5f873813a
SSDEEP

12288:MMryy90x6YxLq+5nBvBDu3AcDhYR6zDYmWwt35pEvPIin/Q4eAUHpvGf3lAZPupa:my8ZBvoGEDXxDpEvYXNpvM6ZG4

Score

10^/10

amadey redline lada evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

C2

193.201.9.43/plays/chapter/index.php

Targets

- Target
  
  ki755705.exe
- Size
  
  983KB
- MD5
  
  39ed25b320d8cd9c020b3bb634b41846
- SHA1
  
  4ada7f1947eca18f7a5f6bb945cb561bafd67de9
- SHA256
  
  1676411d02b07b45cbe6443890a3bd0a49042357eff6360d2ecbc74efaeea731
- SHA512
  
  8f0d6e114bbe570d6655218a0c293fa232af24c878cbfc6d359bd7c552f2219f7c8ae78a9899efb108f98aa43eabac84b9eb40eda254d5e8c2c483e5f873813a
- SSDEEP
  
  12288:MMryy90x6YxLq+5nBvBDu3AcDhYR6zDYmWwt35pEvPIin/Q4eAUHpvGf3lAZPupa:my8ZBvoGEDXxDpEvYXNpvM6ZG4
Score

10^/10

amadey redline lada evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlineladaevasioninfostealerpersistencetrojan

behavioral2

amadeyredlineladaevasioninfostealerpersistencetrojan