amadey

General

Target

eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
Size

431KB
Sample

241213-a3r1ssvlgl
MD5

4962575a2378d5c72e7a836ea766e2ad
SHA1

549964178b12017622d3cbdda6dbfdef0904e7e2
SHA256

eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
SHA512

911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
SSDEEP

12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

0f3be6

C2

http://185.81.68.147

http://185.81.68.148

Attributes

install_dir
ee29ea508b
install_file
Gxtuum.exe
strings_key
d3a5912ea69ad34a2387af70c8be9e21
url_paths
/7vhfjke3/index.php

/8Fvu5jh4DbS/index.php

rc4.plain

Extracted

Family

redline

Botnet

eewx

C2

185.81.68.147:1912

Targets

- Target
  
  eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
- Size
  
  431KB
- MD5
  
  4962575a2378d5c72e7a836ea766e2ad
- SHA1
  
  549964178b12017622d3cbdda6dbfdef0904e7e2
- SHA256
  
  eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
- SHA512
  
  911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
- SSDEEP
  
  12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb
Score

10^/10

amadey redline 0f3be6 eewx credential_access discovery execution infostealer persistence privilege_escalation pyinstaller spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2