amadey

Resubmissions

09-04-2024 13:47

240409-q3kvgsbh4v 10

09-04-2024 13:47

09-04-2024 13:47

09-04-2024 13:47

31-08-2023 01:46

Sharing

Copy URL

Twitter E-mail

General

Target

a5dfba638e1d160071f6b4b3506fe316.bin
Size

1.4MB
Sample

240409-q3kvgsbh4v
MD5

c37abe3aaa543134440b0b62594b0368
SHA1

83d926bd57361aa393475f42ab86ecc20c8e9294
SHA256

b696bbaf9264728fffb4de1bb04ef076633495a7d0ed846cb2cc77d8818abb3e
SHA512

4078ff1213e564abae4c33765d8e414d72a657fec813e8374a84ca7d73b3cb949b1ba5158f5b5aa2de334eccd4e575aba820eaf52a9ec2b1ebeb45e27bd1bd86
SSDEEP

24576:kmuV5cIDHvU4leQiymtmdpDGhB8JDQYVFhNJkTV/R8EcPqd6I/XcGMHRYMV3rmRZ:kNrc0H8iTmsShOHfJFEcPqd6ITMxYMV6

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

3.87

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Targets

- Target
  
  7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524.exe
- Size
  
  1.4MB
- MD5
  
  a5dfba638e1d160071f6b4b3506fe316
- SHA1
  
  c284314d0de513cd37a9b01c8e5a9aabe4fd9bb3
- SHA256
  
  7bf753b3b29b29238df118757228447e9a6b14533aaea21270a1ba3cf918f524
- SHA512
  
  822fc7b7e4133c6bf8ac58790b327352bee771230c7f67f55c881c80cc4b26d09eb4b16cae0065edb23e1249167a03939a5fd97c3c359a5dc081ddb872b26fc6
- SSDEEP
  
  24576:ryTL4TvffA66MEMTOLq5MhObXGcL+HsZzKyOF3kJSNl/jUXFsMeLMKdI/OGmhi3t:eT8T3fA5MEMTOLiycSOK93hIveYYI/Hz
Score

10^/10

amadey mystic redline sruta infostealer persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4