amadey | 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01 | Triage

Submit
Reports

Overview

overview

Static

static

7

55aa5e.exe

windows7-x64

55aa5e.exe

windows10-1703-x64

55aa5e.exe

windows10-2004-x64

Resubmissions

20-09-2023 14:30

230920-rt5nzagg9v 10

Sharing

General

Target

55aa5e.exe
Size

6.9MB
Sample

230920-rt5nzagg9v
MD5

56c197e493f74f9233a16cdefab3109f
SHA1

af35bd2fd5d884bdf6bea8aac695e98f5a00715a
SHA256

172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01
SHA512

d2830cfebfaa859f5fca15e3c81799e99c3cb31f72b1075d8828f03a490bfe6196b34d35bbcaede32a6d63d5c2d9bc17bea009e1bd8787cb4397f6627328b086
SSDEEP

98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E

Score

10^/10

amadey redline infostealer spyware trojan vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

55aa5e.exe

Resource

win7-20230831-en

amadey trojan vmprotect

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

55aa5e.exe

Resource

win10-20230915-en

amadey redline infostealer spyware trojan vmprotect

windows10-1703-x64

13 signatures

150 seconds

Behavioral task

behavioral3

Sample

55aa5e.exe

Resource

win10v2004-20230915-en

amadey redline infostealer spyware trojan vmprotect

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://5.42.64.33/vu3skClDn/index.php

Attributes

install_dir
a304d35d74
install_file
yiueea.exe
strings_key
3ae6c4e6339065c6f5a368011bb5cb8c

rc4.plain

Targets

- Target
  
  55aa5e.exe
- Size
  
  6.9MB
- MD5
  
  56c197e493f74f9233a16cdefab3109f
- SHA1
  
  af35bd2fd5d884bdf6bea8aac695e98f5a00715a
- SHA256
  
  172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01
- SHA512
  
  d2830cfebfaa859f5fca15e3c81799e99c3cb31f72b1075d8828f03a490bfe6196b34d35bbcaede32a6d63d5c2d9bc17bea009e1bd8787cb4397f6627328b086
- SSDEEP
  
  98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E
Score

10^/10

amadey trojan vmprotect redline infostealer spyware
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

amadeytrojanvmprotect

behavioral2

amadeyredlineinfostealerspywaretrojanvmprotect

behavioral3

amadeyredlineinfostealerspywaretrojanvmprotect

© 2018-2024

Terms | Privacy