General

  • Target

    Install.exe

  • Size

    7MB

  • Sample

    221109-mj4lpsgab2

  • MD5

    2cc80b5a83b5e1b96bf817d26099e664

  • SHA1

    2507f7ca248884372a3088bf6413bd8292f898ca

  • SHA256

    06c9681d0fcdc083535d3aaa823b0d5a483bb93f237fb7857cd8e72b20f4088c

  • SHA512

    d5027ecda8337735e2149f6048124975e06e25865150f01b357d80926c8b786e1e0dc64cebf51b7c85bc5f72ec07571a4f170882ed386753ff6905b7dd2ba007

  • SSDEEP

    196608:Pkc8XmEtyfj6x5kMdFYjdYb9UNaLhKxgNq+W3D:Pkc8WEw4kAFYqUNaLhqgNVA

Malware Config

Extracted

Family

privateloader

C2

http://108.174.200.11/MWTSL

http://108.174.198.132/MWTSL

http://108.174.199.249/MWTSL

Extracted

Family

redline

Botnet

6.67

C2

103.89.90.61:34589

Attributes
auth_value
57de334192d09500bf7d628d081a6039

Extracted

Family

redline

Botnet

neruzki

C2

193.106.191.22:47242

Attributes
auth_value
be14ae67c6dd227f622680a27ea42452

Extracted

Family

redline

Botnet

new1109

C2

jalocliche.xyz:81

chardhesha.xyz:81

Attributes
auth_value
4e1b0eea6916e5eec6474516190b3725

Targets

    • Target

      Install.exe

    • Size

      7MB

    • MD5

      2cc80b5a83b5e1b96bf817d26099e664

    • SHA1

      2507f7ca248884372a3088bf6413bd8292f898ca

    • SHA256

      06c9681d0fcdc083535d3aaa823b0d5a483bb93f237fb7857cd8e72b20f4088c

    • SHA512

      d5027ecda8337735e2149f6048124975e06e25865150f01b357d80926c8b786e1e0dc64cebf51b7c85bc5f72ec07571a4f170882ed386753ff6905b7dd2ba007

    • SSDEEP

      196608:Pkc8XmEtyfj6x5kMdFYjdYb9UNaLhKxgNq+W3D:Pkc8WEw4kAFYqUNaLhqgNVA

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

              Privilege Escalation

                Tasks