amadey | 0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e | Triage

Sharing

General

Target

file.exe
Size

301KB
Sample

230517-g9ga7sda2x
MD5

5599f89944adc8ccad21b5ab94d33381
SHA1

8df8ce98cdf2a8cef21e26b03841818c9d522ded
SHA256

0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e
SHA512

a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171
SSDEEP

6144:BWHRhTLdCwcaYsbhO83elSyRG/1dZENASIbNjVveSvdNGf3m:BYBCwssbhOnSy3iBbNpvdk/

Score

10^/10

amadey redline persom infostealer spyware trojan

Malware Config

Extracted

Family

amadey

Version

3.69

C2

88.218.60.230/Gb2dZz/index.php

Extracted

Family

redline

Botnet

PERSOM

C2

176.124.219.192:14487

Attributes

auth_value
0695a610af712a57529526101d7e83b2

Targets

- Target
  
  file.exe
- Size
  
  301KB
- MD5
  
  5599f89944adc8ccad21b5ab94d33381
- SHA1
  
  8df8ce98cdf2a8cef21e26b03841818c9d522ded
- SHA256
  
  0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e
- SHA512
  
  a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171
- SSDEEP
  
  6144:BWHRhTLdCwcaYsbhO83elSyRG/1dZENASIbNjVveSvdNGf3m:BYBCwssbhOnSy3iBbNpvdk/
Score

10^/10

amadey redline persom infostealer spyware trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinepersominfostealerspywaretrojan

behavioral2

amadeyredlinepersominfostealerspywaretrojan