General

  • Target

    f997fc9407991062241af5442395f248.exe

  • Size

    623KB

  • Sample

    211220-xs8bcscdhp

  • MD5

    f997fc9407991062241af5442395f248

  • SHA1

    65e35087a12acb4e7cf06fefd944c812300c53ef

  • SHA256

    aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623

  • SHA512

    32d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b

Malware Config

Extracted

Family

redline

Botnet

runpe

C2

142.202.242.172:7667

Extracted

Family

amadey

Version

2.86

C2

2.56.56.210/notAnoob/index.php

Targets

    • Target

      f997fc9407991062241af5442395f248.exe

    • Size

      623KB

    • MD5

      f997fc9407991062241af5442395f248

    • SHA1

      65e35087a12acb4e7cf06fefd944c812300c53ef

    • SHA256

      aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623

    • SHA512

      32d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Neshta Payload

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks