amadey | c046db938f11de20bb8fe317e000c71e38b025ab89441377d1697f6fc8e44ac9 | Triage

Sharing

General

Target

c046db938f11de20bb8fe317e000c71e38b025ab89441377d1697f6fc8e44ac9
Size

1.5MB
Sample

230904-l1kz9afd2w
MD5

69bddbf497eff9c4b9d21bf2d946b74f
SHA1

9bd3be126ad41c57f72da9e5f9936c1a59c4b44e
SHA256

c046db938f11de20bb8fe317e000c71e38b025ab89441377d1697f6fc8e44ac9
SHA512

0aee64a2e57ab073cbfff587e4f7cb22b6556be88a7af56b7f2a1e88730f93e1b014401bc5d268e0a6d6e4c79093634a1bb31f3e7c85a75267516823ac92f91b
SSDEEP

49152:wC36+EjqtKeRUHq0HPQF/4wJsu+b0Xv5MgEAtJZouQruz:o+ftKeRUHq0vQx4iJ+AXv2aZSaz

Score

10^/10

amadey redline gena infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Targets

- Target
  
  c046db938f11de20bb8fe317e000c71e38b025ab89441377d1697f6fc8e44ac9
- Size
  
  1.5MB
- MD5
  
  69bddbf497eff9c4b9d21bf2d946b74f
- SHA1
  
  9bd3be126ad41c57f72da9e5f9936c1a59c4b44e
- SHA256
  
  c046db938f11de20bb8fe317e000c71e38b025ab89441377d1697f6fc8e44ac9
- SHA512
  
  0aee64a2e57ab073cbfff587e4f7cb22b6556be88a7af56b7f2a1e88730f93e1b014401bc5d268e0a6d6e4c79093634a1bb31f3e7c85a75267516823ac92f91b
- SSDEEP
  
  49152:wC36+EjqtKeRUHq0HPQF/4wJsu+b0Xv5MgEAtJZouQruz:o+ftKeRUHq0vQx4iJ+AXv2aZSaz
Score

10^/10

amadey redline gena infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyredlinegenainfostealerpersistencetrojan