Resubmissions

09-11-2022 21:24

221109-z9j17sdhgr 1

09-11-2022 21:01

221109-ztxmcscaf8 10

General

  • Target

    b35ca066edcf57fe0730d8e2ae677a573480b008897fb4a18daff3b8c084b7bd

  • Size

    188KB

  • Sample

    221109-ztxmcscaf8

  • MD5

    d66763e10add045462aa126cf85a98fe

  • SHA1

    21f8a525a3b8ba61e1c4ae263467c6b48388a907

  • SHA256

    b35ca066edcf57fe0730d8e2ae677a573480b008897fb4a18daff3b8c084b7bd

  • SHA512

    5d20c47d810eb344bdfe7729f3b8724a5a403c31db518a62c613e14555b922d9890f62168d2fc3d97d1acbc65ef0f77aeabe6f8a457167fb0c6cac21b2bc0bd7

  • SSDEEP

    3072:FdXBe53l+5z+1DH4L8dkeibhR+buE+roBDJ1RpeEImH3c9hZIuMLNV9b1Yn6IpIM:TBE+5z+dH4LCkei/foVJ1RzIJhZ0Vl1m

Malware Config

Extracted

Family

redline

C2

45.15.156.37:110

Attributes
  • auth_value

    19cd76dae6d01d9649fd29624fa61e51

Extracted

Family

redline

Botnet

mao

C2

77.73.134.251:4691

Attributes
  • auth_value

    a06897b11f5e600c4479f1b544acc337

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Targets

    • Target

      b35ca066edcf57fe0730d8e2ae677a573480b008897fb4a18daff3b8c084b7bd

    • Size

      188KB

    • MD5

      d66763e10add045462aa126cf85a98fe

    • SHA1

      21f8a525a3b8ba61e1c4ae263467c6b48388a907

    • SHA256

      b35ca066edcf57fe0730d8e2ae677a573480b008897fb4a18daff3b8c084b7bd

    • SHA512

      5d20c47d810eb344bdfe7729f3b8724a5a403c31db518a62c613e14555b922d9890f62168d2fc3d97d1acbc65ef0f77aeabe6f8a457167fb0c6cac21b2bc0bd7

    • SSDEEP

      3072:FdXBe53l+5z+1DH4L8dkeibhR+buE+roBDJ1RpeEImH3c9hZIuMLNV9b1Yn6IpIM:TBE+5z+dH4LCkei/foVJ1RzIJhZ0Vl1m

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Tasks