General

  • Target

    86def4439d70e908478819d3bed01ff8f47b1e1ccb2a82181aa2b7bfa51911d0.exe

  • Size

    174KB

  • Sample

    221115-lfazjscc3v

  • MD5

    b53973447e614cfcde8d03463955162a

  • SHA1

    daf2284e1ab9cfae6c9fde2ef9452fdd7fbd700c

  • SHA256

    86def4439d70e908478819d3bed01ff8f47b1e1ccb2a82181aa2b7bfa51911d0

  • SHA512

    184e2e794726053952c2b91d2051c4ec506d2271d5262e52ee2e54b403a23f969159a067738d30248c2732d90570011602da2ecc77a9a2fa9041ea3f9698a8d6

  • SSDEEP

    3072:70lOFhfoZ7L7bZtX/AR+gVB0j2avIVHHqtqt8c:A4yL7bZtPN2irIVHGC

Malware Config

Extracted

Family

redline

Botnet

rozena1114

C2

jalocliche.xyz:81

chardhesha.xyz:81

Attributes
  • auth_value

    9fefd743a3b62bcd7c3e17a70fbdb3a8

Targets

    • Target

      86def4439d70e908478819d3bed01ff8f47b1e1ccb2a82181aa2b7bfa51911d0.exe

    • Size

      174KB

    • MD5

      b53973447e614cfcde8d03463955162a

    • SHA1

      daf2284e1ab9cfae6c9fde2ef9452fdd7fbd700c

    • SHA256

      86def4439d70e908478819d3bed01ff8f47b1e1ccb2a82181aa2b7bfa51911d0

    • SHA512

      184e2e794726053952c2b91d2051c4ec506d2271d5262e52ee2e54b403a23f969159a067738d30248c2732d90570011602da2ecc77a9a2fa9041ea3f9698a8d6

    • SSDEEP

      3072:70lOFhfoZ7L7bZtX/AR+gVB0j2avIVHHqtqt8c:A4yL7bZtPN2irIVHGC

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks