amadey | 7252b3ba9094d91a1e12f9c9944f24ccf25c9a4c75e7f7e3380ca37b8e6bfbcd | Triage

Sharing

General

Target

NEAS.be9c6334a9f060d8e383c10608a271a0.exe
Size

1.4MB
Sample

231103-t58wwaeh8v
MD5

be9c6334a9f060d8e383c10608a271a0
SHA1

89958e3ef709d8e05e9b5bae33d09149098dc0d1
SHA256

7252b3ba9094d91a1e12f9c9944f24ccf25c9a4c75e7f7e3380ca37b8e6bfbcd
SHA512

094c026745ecc79e088cc0cdc4387c1f254a3d2c4e755234d914e399bda1bd6dddd5777f1e7bf1bdaa4a81ed9dab11cf4501fd363131a0309643a9e1f90def5b
SSDEEP

24576:lyU/Q553sqM2nXWkJ0MT9opnaX6RXVX6iU3jA7MvnhwmEY3Ji8KeMGCfY:An558NCXW4B96aX4XVXK3IMpFEYJi8KI

Score

10^/10

amadey mystic redline frant evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Targets

- Target
  
  NEAS.be9c6334a9f060d8e383c10608a271a0.exe
- Size
  
  1.4MB
- MD5
  
  be9c6334a9f060d8e383c10608a271a0
- SHA1
  
  89958e3ef709d8e05e9b5bae33d09149098dc0d1
- SHA256
  
  7252b3ba9094d91a1e12f9c9944f24ccf25c9a4c75e7f7e3380ca37b8e6bfbcd
- SHA512
  
  094c026745ecc79e088cc0cdc4387c1f254a3d2c4e755234d914e399bda1bd6dddd5777f1e7bf1bdaa4a81ed9dab11cf4501fd363131a0309643a9e1f90def5b
- SSDEEP
  
  24576:lyU/Q553sqM2nXWkJ0MT9opnaX6RXVX6iU3jA7MvnhwmEY3Ji8KeMGCfY:An558NCXW4B96aX4XVXK3IMpFEYJi8KI
Score

10^/10

amadey mystic redline frant evasion infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

amadeymysticredlinefrantevasioninfostealerpersistencestealertrojan