amadey

General

Target

ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
Size

4.9MB
Sample

240324-fsyngshh77
MD5

50d55c187abcd975629a918970b0a2f1
SHA1

2c248c8f093561cc2318179ea1179fd5b172e6be
SHA256

ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
SHA512

9a4ff95a3a2fd2b4dbeb98c7d1061d1991be5868093f3095e29ee3db8369b41e507d8d0f6bd85b77619431f60cc5532fc6a7a59612a6b30583194c07adee1d5b
SSDEEP

98304:9ayPd4hW/JfMkTQmWPKql6M96BRqchrx91hDORM7seCKaZSwWyQ+kivmjw38:9FJRkm6Kql6MMBRqchrx9ktBZ78jwM

Score

10^/10

amadey redline logsdiller cloud (telegram: @logsdillabot)discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.68:29093

Extracted

Family

amadey

Version

4.18

Attributes

strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Targets

- Target
  
  ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
- Size
  
  4.9MB
- MD5
  
  50d55c187abcd975629a918970b0a2f1
- SHA1
  
  2c248c8f093561cc2318179ea1179fd5b172e6be
- SHA256
  
  ffc320e5f95d05b9eb4b50db80a8f2f29b20bc166ed6476c570d7276ce8432db
- SHA512
  
  9a4ff95a3a2fd2b4dbeb98c7d1061d1991be5868093f3095e29ee3db8369b41e507d8d0f6bd85b77619431f60cc5532fc6a7a59612a6b30583194c07adee1d5b
- SSDEEP
  
  98304:9ayPd4hW/JfMkTQmWPKql6M96BRqchrx91hDORM7seCKaZSwWyQ+kivmjw38:9FJRkm6Kql6MMBRqchrx9ktBZ78jwM
Score

10^/10

amadey redline logsdiller cloud (telegram: @logsdillabot)discovery infostealer spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2