Overview

overview

10

Static

static

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Install.exe

  • Size

    7MB

  • Sample

    221109-mj4lpsgab2

  • MD5

    2cc80b5a83b5e1b96bf817d26099e664

  • SHA1

    2507f7ca248884372a3088bf6413bd8292f898ca

  • SHA256

    06c9681d0fcdc083535d3aaa823b0d5a483bb93f237fb7857cd8e72b20f4088c

  • SHA512

    d5027ecda8337735e2149f6048124975e06e25865150f01b357d80926c8b786e1e0dc64cebf51b7c85bc5f72ec07571a4f170882ed386753ff6905b7dd2ba007

  • SSDEEP

    196608:Pkc8XmEtyfj6x5kMdFYjdYb9UNaLhKxgNq+W3D:Pkc8WEw4kAFYqUNaLhqgNVA

Score
10/10
amadeyprivateloaderredline6.67neruzkinew1109infostealerloaderspywarestealertrojan

Malware Config

Extracted

Family

privateloader

C2

http://108.174.200.11/MWTSL

http://108.174.198.132/MWTSL

http://108.174.199.249/MWTSL

Extracted

Family

redline

Botnet

6.67

C2

103.89.90.61:34589

Attributes
  • auth_value

    57de334192d09500bf7d628d081a6039

Extracted

Family

redline

Botnet

neruzki

C2

193.106.191.22:47242

Attributes
  • auth_value

    be14ae67c6dd227f622680a27ea42452

Extracted

Family

redline

Botnet

new1109

C2

jalocliche.xyz:81

chardhesha.xyz:81
Attributes
  • auth_value

    4e1b0eea6916e5eec6474516190b3725

Targets

    • Target

      Install.exe

    • Size

      7MB

    • MD5

      2cc80b5a83b5e1b96bf817d26099e664

    • SHA1

      2507f7ca248884372a3088bf6413bd8292f898ca

    • SHA256

      06c9681d0fcdc083535d3aaa823b0d5a483bb93f237fb7857cd8e72b20f4088c

    • SHA512

      d5027ecda8337735e2149f6048124975e06e25865150f01b357d80926c8b786e1e0dc64cebf51b7c85bc5f72ec07571a4f170882ed386753ff6905b7dd2ba007

    • SSDEEP

      196608:Pkc8XmEtyfj6x5kMdFYjdYb9UNaLhKxgNq+W3D:Pkc8WEw4kAFYqUNaLhqgNVA

    Score
    10/10
    amadeyprivateloaderredline6.67neruzkinew1109infostealerloaderspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks