General

  • Target

    72cc7ecb49837771303a8f567a2b7dd2e7f5ad7790c5b3aa0011fb981106cb31.exe

  • Size

    2.1MB

  • Sample

    220415-qnbm9sbcam

  • MD5

    06777de46e46ddf54d0dec2794ee292e

  • SHA1

    ad05474b996e88be045de557af5d58238210b4ce

  • SHA256

    72cc7ecb49837771303a8f567a2b7dd2e7f5ad7790c5b3aa0011fb981106cb31

  • SHA512

    d781c4ea0efbff6de3eea7471c00520f8bd5941f050f7db8517715ad91c2dd881fab416dd40bd40aa30c50785453dae2e77c16eb23a7e17feca899b95b71abe8

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    45.227.255.33
  • Port:
    21
  • Username:
    UserPower
  • Password:
    JAHSDJHahh2112ghasUI

Extracted

Family

amadey

Version

3.04

C2

185.215.113.47/k0uTrd3d/index.php

Extracted

Family

redline

Botnet

RAIN

C2

185.215.113.107:1433

Attributes
  • auth_value

    6f5ef291082708f554c0ca96898f1c50

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    78.47.44.43
  • Port:
    21
  • Username:
    Kolacing
  • Password:
    po666sGWnKLQeP1

Targets

    • Target

      72cc7ecb49837771303a8f567a2b7dd2e7f5ad7790c5b3aa0011fb981106cb31.exe

    • Size

      2.1MB

    • MD5

      06777de46e46ddf54d0dec2794ee292e

    • SHA1

      ad05474b996e88be045de557af5d58238210b4ce

    • SHA256

      72cc7ecb49837771303a8f567a2b7dd2e7f5ad7790c5b3aa0011fb981106cb31

    • SHA512

      d781c4ea0efbff6de3eea7471c00520f8bd5941f050f7db8517715ad91c2dd881fab416dd40bd40aa30c50785453dae2e77c16eb23a7e17feca899b95b71abe8

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • suricata: ET MALWARE Amadey CnC Check-In

      suricata: ET MALWARE Amadey CnC Check-In

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks