Overview

overview

10

Static

static

3bc0f41166...93.exe

windows7_x64

5

3bc0f41166...93.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3bc0f41166cf7bb68ca9dba8a69ea593

  • Size

    1.2MB

  • Sample

    211202-txvpaaadfm

  • MD5

    3bc0f41166cf7bb68ca9dba8a69ea593

  • SHA1

    18c3ee0cae1557b0da8443a1a06e652c1a64f272

  • SHA256

    51bda9cff13b4515a21d412a59a51746594613eed7fe0cb21f1ee8037baabf66

  • SHA512

    c5b48698155ef5f6d1799150a5220be7f6436da498ed1259d4f20338bcfe75a55bc714c8963417e6917a3301145564845967b231ceab10d369367cea923f13d1

Score
10/10
amadeyredline1.12.20211.12mix222test01.12discoveryinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

redline

Botnet

test01.12

C2

185.215.113.15:21508

Extracted

Family

redline

Botnet

1.12.2021

C2

95.217.213.248:42382

Extracted

Family

redline

Botnet

1.12mix222

C2

104.238.221.208:21732

Extracted

Family

amadey

Version

2.85

C2

185.215.113.35/d2VxjasuwS/index.php

Targets

    • Target

      3bc0f41166cf7bb68ca9dba8a69ea593

    • Size

      1.2MB

    • MD5

      3bc0f41166cf7bb68ca9dba8a69ea593

    • SHA1

      18c3ee0cae1557b0da8443a1a06e652c1a64f272

    • SHA256

      51bda9cff13b4515a21d412a59a51746594613eed7fe0cb21f1ee8037baabf66

    • SHA512

      c5b48698155ef5f6d1799150a5220be7f6436da498ed1259d4f20338bcfe75a55bc714c8963417e6917a3301145564845967b231ceab10d369367cea923f13d1

    Score
    10/10
    amadeyredline1.12.20211.12mix222test01.12discoveryinfostealerspywarestealersuricatatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • suricata: ET MALWARE Amadey CnC Check-In

      suricata: ET MALWARE Amadey CnC Check-In

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks