General

  • Target

    e47e077edaa9d362444467c0b6cbce82ffb7dda75a1aa58d9e7019ca366d586e

  • Size

    184KB

  • Sample

    221115-je3basbh4x

  • MD5

    d22ace640c08a8a99ec0483594be87c7

  • SHA1

    fc1b84cc90c6a5499b98e537baa719a70aed3f33

  • SHA256

    e47e077edaa9d362444467c0b6cbce82ffb7dda75a1aa58d9e7019ca366d586e

  • SHA512

    ec90a5aa4ec60f6e598cedc362f70a5d83ab42eaf0e0f6d180f42bdb1ab9daa1535ad57b7fb4d9e0982dd7424ef08a056fa2f023022cd047955b69151de31f92

  • SSDEEP

    3072:WAtj+e5K8Qrg9s9liM5ZfFqwIu3f5Dm3J/pYp0R:lq77iM5ZfowIu3f4l

Malware Config

Extracted

Family

redline

Botnet

123

C2

78.153.144.3:2510

Attributes
  • auth_value

    cd6abb0af211bce081d7bf127cc26835

Extracted

Family

redline

Botnet

rozena1114

C2

jalocliche.xyz:81

chardhesha.xyz:81

Attributes
  • auth_value

    9fefd743a3b62bcd7c3e17a70fbdb3a8

Targets

    • Target

      e47e077edaa9d362444467c0b6cbce82ffb7dda75a1aa58d9e7019ca366d586e

    • Size

      184KB

    • MD5

      d22ace640c08a8a99ec0483594be87c7

    • SHA1

      fc1b84cc90c6a5499b98e537baa719a70aed3f33

    • SHA256

      e47e077edaa9d362444467c0b6cbce82ffb7dda75a1aa58d9e7019ca366d586e

    • SHA512

      ec90a5aa4ec60f6e598cedc362f70a5d83ab42eaf0e0f6d180f42bdb1ab9daa1535ad57b7fb4d9e0982dd7424ef08a056fa2f023022cd047955b69151de31f92

    • SSDEEP

      3072:WAtj+e5K8Qrg9s9liM5ZfFqwIu3f5Dm3J/pYp0R:lq77iM5ZfowIu3f4l

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks