amadey

General

Target

207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32
Size

1.5MB
Sample

240517-y2143sha6t
MD5

9e0d8d07a60fabc862137c73218944e0
SHA1

05a4e4e5c1f298d413616a85735ecdd000529e2f
SHA256

207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32
SHA512

d060c501beba283f1f56cc4487950e2f079dfdbd95101692da12f40c11c9dcf859a360186b2edd95a9e21ba543bb7602a23780214c170a8f02f0d71bb509cc73
SSDEEP

24576:LEd6iSHW2y1SQuqdg2cfW6b62vz++bTmDQC9iWbMVxXbei5FU94r+:Ad6iaIfuqdgoA6yPmN9kxXbeivU9U+

Score

10^/10

amadey redline risepro 1 18befc c767c0 discovery evasion execution infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Targets

- Target
  
  207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32
- Size
  
  1.5MB
- MD5
  
  9e0d8d07a60fabc862137c73218944e0
- SHA1
  
  05a4e4e5c1f298d413616a85735ecdd000529e2f
- SHA256
  
  207306e9b32283dc47f10dbd428e3e157d611ab1b64c8154b15854bda85ffa32
- SHA512
  
  d060c501beba283f1f56cc4487950e2f079dfdbd95101692da12f40c11c9dcf859a360186b2edd95a9e21ba543bb7602a23780214c170a8f02f0d71bb509cc73
- SSDEEP
  
  24576:LEd6iSHW2y1SQuqdg2cfW6b62vz++bTmDQC9iWbMVxXbei5FU94r+:Ad6iaIfuqdgoA6yPmN9kxXbeivU9U+
Score

10^/10

amadey redline risepro 1 18befc c767c0 discovery evasion execution infostealer persistence spyware stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2