General

  • Target

    7682da736410490fe1f88d36a2a7179e.exe

  • Size

    295KB

  • Sample

    221114-xysg4ahe6y

  • MD5

    7682da736410490fe1f88d36a2a7179e

  • SHA1

    0e1dd3a9d92b353aa3f7e45cb81edc50410e7304

  • SHA256

    143d6361791f2863395bca7d9503a56423aa46a89619f1dabfbd215e9d667bf4

  • SHA512

    9600c4a7025d3548e210c746f892e70e2801ddec9d7060331f70262235a82a365b0887a5b81bd07a66fc32f94eef896c1835f0f82001c5792d24f77cf8e0b404

  • SSDEEP

    3072:6XO6rtA+LyaF103OLuPjP87PpsRM6R5f9Wzd+KYFQIUbT+PfaFJFg5EhCodZnI6e:a/y+LC3OLKoPyq6VyUK00TmEndTQ

Malware Config

Extracted

Family

redline

Botnet

rozena1114

C2

jalocliche.xyz:81

chardhesha.xyz:81

Attributes
  • auth_value

    9fefd743a3b62bcd7c3e17a70fbdb3a8

Targets

    • Target

      7682da736410490fe1f88d36a2a7179e.exe

    • Size

      295KB

    • MD5

      7682da736410490fe1f88d36a2a7179e

    • SHA1

      0e1dd3a9d92b353aa3f7e45cb81edc50410e7304

    • SHA256

      143d6361791f2863395bca7d9503a56423aa46a89619f1dabfbd215e9d667bf4

    • SHA512

      9600c4a7025d3548e210c746f892e70e2801ddec9d7060331f70262235a82a365b0887a5b81bd07a66fc32f94eef896c1835f0f82001c5792d24f77cf8e0b404

    • SSDEEP

      3072:6XO6rtA+LyaF103OLuPjP87PpsRM6R5f9Wzd+KYFQIUbT+PfaFJFg5EhCodZnI6e:a/y+LC3OLKoPyq6VyUK00TmEndTQ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks