amadey | 2ca32965e9d45430043a94d612edf4a3c5ca6f206c39155d5bd56390da3849c2 | Triage

Sharing

General

Target

230906-x5evksbc6s_pw_infected.zip
Size

1.4MB
Sample

230907-lq3gjsgc9t
MD5

9ff5a973313de3b6f0fca69610843bd7
SHA1

4235d575d0223bae47b4677c7ca89dcb8ca9089c
SHA256

2ca32965e9d45430043a94d612edf4a3c5ca6f206c39155d5bd56390da3849c2
SHA512

9ddae909c59a100f6726fcbb354e937b10bacbcda8e12e737a726623907ab1c95589a67295ac6a986f47ba17e1c046d0564ac68cbe82dbd71ec7d44ec5e7b1d1
SSDEEP

24576:yWbQaZHgUIlfbUBfGHZUXcI57akKrR1Q1O1ZFRQ8nh9B5tvdI2uBtSLp9jCttT7b:FcaZAUIlo8HIcI57akKPQ+7m89l1u/Sc

Score

10^/10

amadey redline gena paypal infostealer persistence phishing trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Targets

- Target
  
  y6467268_JC.exe
- Size
  
  1.4MB
- MD5
  
  ddb5fe9c48ec02d43fe40e3be0fb6972
- SHA1
  
  adaa8c52351c2412be289f2179ec5ecd7d5c1fcb
- SHA256
  
  688dfa93e23ecdf662eab782b42fad8732a4a1fa2d39b0a9be1f0c19efb3ede7
- SHA512
  
  6f6eb01817abaa514f9d989a0339760ed29e64aba390b2214562f36314c3173275bf0b249c50f613e6560169b99d9151f85f8b2abb544ecc91d01a3e3c9eab7a
- SSDEEP
  
  24576:lyj3+xivG7etKyElnVkgoog/HvHSqOUc1rPM16pHhVno8/2zoIpqDdfO5Bmbs74s:Aj3+gvGytKyElVjo1PvTOtE1YVvrfdX2
Score

10^/10

amadey redline gena paypal infostealer persistence phishing trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

amadeyredlinegenapaypalinfostealerpersistencephishingtrojan

behavioral2

amadeyredlinegenainfostealerpersistencetrojan