amadey | 83ac91faa808804775ec3929b9c999906343beca0ec10febd2382738f8db1353 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

83ac91faa808804775ec3929b9c999906343beca0ec10febd2382738f8db1353
Size

812KB
Sample

230904-j9lxssfc26
MD5

07bff6f9e0bb2256cde516554110127f
SHA1

804ba10cd263dbe5e4cb93681ac97b29d77f0788
SHA256

83ac91faa808804775ec3929b9c999906343beca0ec10febd2382738f8db1353
SHA512

389a0260a4d8b7ce46e66981d4f80d6ccc5776d33e70d9d54b2594c989bacc4b477e6026731a83b94c9eabfeb4d26ee61e0be985624b309ffef57c1395205f18
SSDEEP

12288:nMr9y90hMWZ1DrrEc79w+binWBF51ARpJxZGFghZF7uOZZlmgwIIB2PI:WypgrEc2WF5GJzXhHu8lmVIO2PI

Score

10^/10

amadey redline gena evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Targets

- Target
  
  83ac91faa808804775ec3929b9c999906343beca0ec10febd2382738f8db1353
- Size
  
  812KB
- MD5
  
  07bff6f9e0bb2256cde516554110127f
- SHA1
  
  804ba10cd263dbe5e4cb93681ac97b29d77f0788
- SHA256
  
  83ac91faa808804775ec3929b9c999906343beca0ec10febd2382738f8db1353
- SHA512
  
  389a0260a4d8b7ce46e66981d4f80d6ccc5776d33e70d9d54b2594c989bacc4b477e6026731a83b94c9eabfeb4d26ee61e0be985624b309ffef57c1395205f18
- SSDEEP
  
  12288:nMr9y90hMWZ1DrrEc79w+binWBF51ARpJxZGFghZF7uOZZlmgwIIB2PI:WypgrEc2WF5GJzXhHu8lmVIO2PI
Score

10^/10

amadey redline gena evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinegenaevasioninfostealerpersistencetrojan