amadey | c72c3cac96cdcdc35cdb13f7e337aec9943a47a68599292aed08646b06e55605 | Triage

Sharing

General

Target

707c58d1dbfd454ec4fc46c71.bin
Size

431KB
Sample

230628-rqmzraag9v
MD5

5b3d3e8e90b403a5fa2cf645248140cc
SHA1

47671d9735a22ef14da6c4435dd4d623d43b59f2
SHA256

c72c3cac96cdcdc35cdb13f7e337aec9943a47a68599292aed08646b06e55605
SHA512

322112ddf70e7ccd4f570d17beee521a3038995f9efc11c2dc887eddb9502830442ccfdffc1388063fd20a8b9716279433d7409378f0cbf5fc0c7072f3b2f5fb
SSDEEP

12288:OLBioF10lcthkdOqBIoVSq+wmPEKrXwF8:OLwoF1xDqBIoVSDPEKrXp

Score

10^/10

amadey redline drake discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

drake

C2

83.97.73.131:19071

Attributes

auth_value
74ce6ffe4025a2e4027fb727915e7d7c

Extracted

Family

amadey

Version

3.84

C2

77.91.68.63/doma/net/index.php

Targets

- Target
  
  d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e.exe
- Size
  
  508KB
- MD5
  
  707c58d1dbfd454ec4fc46c717deeae3
- SHA1
  
  e403877bc39370411de7d96ef6e92a6876d9faa5
- SHA256
  
  d2834fa972322f62bd9f84ab763de4f1a3f047e5d713255fef91ef17da392f8e
- SHA512
  
  e42b7afc9d0845b8e8657eeaba93ae5095f2bd05f750ccf6385a79f650c0333f972215ffe00bad461dd29ca018a91caf512bc8543bd59f45e23847db78638217
- SSDEEP
  
  12288:ntOy03z+7mXpO8kFqKoAZlpPH17BoS4jBHQ:sy0g4O8pKowTv17VoBHQ
Score

10^/10

amadey redline drake discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinedrakediscoveryevasioninfostealerpersistencespywarestealertrojan

behavioral2

amadeyredlinedrakediscoveryevasioninfostealerpersistencespywarestealertrojan