amadey

General

Target

1d3e10adc7685d83f72d99f44fe63a27.exe
Size

172KB
Sample

230801-zdj2bscb2z
MD5

1d3e10adc7685d83f72d99f44fe63a27
SHA1

f882c4b68aac7366d434bfc7f2936d24e9ac0e21
SHA256

747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369
SHA512

90def681e0084198765f10e29e3c4abc7e256bf796cd84639ca60f2b09d6fc19e8294f49b23e7f9a201e99b3705b4123256b3393cbc2b8277648c575f6d4d460
SSDEEP

1536:lAMV836sv0W7T/lwNrH3LJEpdqkOmcAiPxNAhYQH1bu9NuyKQJ9Q50GkRI8e8h+:aE+dmLenqkLchPxNHgyXxJ9Q5r8e8h+

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

280723_red_FOX

C2

85.209.3.10:11615

Attributes

auth_value
f1e4c42c7ec8a1eb87a921a947333d06

Extracted

Family

amadey

Version

3.80

C2

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Extracted

Family

laplas

C2

http://206.189.229.43

Attributes

api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Targets

- Target
  
  1d3e10adc7685d83f72d99f44fe63a27.exe
- Size
  
  172KB
- MD5
  
  1d3e10adc7685d83f72d99f44fe63a27
- SHA1
  
  f882c4b68aac7366d434bfc7f2936d24e9ac0e21
- SHA256
  
  747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369
- SHA512
  
  90def681e0084198765f10e29e3c4abc7e256bf796cd84639ca60f2b09d6fc19e8294f49b23e7f9a201e99b3705b4123256b3393cbc2b8277648c575f6d4d460
- SSDEEP
  
  1536:lAMV836sv0W7T/lwNrH3LJEpdqkOmcAiPxNAhYQH1bu9NuyKQJ9Q50GkRI8e8h+:aE+dmLenqkLchPxNHgyXxJ9Q5r8e8h+
Score

10^/10

amadey laplas redline 280723_red_fox clipper evasion infostealer spyware stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2