Overview

overview

10

Static

static

3cf6f5f638...a7.exe

windows7-x64

10

3cf6f5f638...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

  • Size

    184KB

  • Sample

    221123-vp83dahf62

  • MD5

    514540f3045e9c0bd7eba95df871b5d4

  • SHA1

    38e59338d943c555119eb9aed8beb5822d673942

  • SHA256

    e7c06284305aa151e959c4fea7e863c3d94bc69585eadbd77f860aee4acf5233

  • SHA512

    e7712a0c9d3097b77b2b33da1d89c060a98be25e0beb2aaeb12c366d638aecf08671240d2215210c0fbd2c705ff76bef87ef5a858ade2eb4d45e54e09118e310

  • SSDEEP

    3072:BQaYecJc+mkE2nNWEcmqzGJXxggE/426iYnzLW4OcG5dRfHnjt57gEIXR/FN:BQaYNmkJnNWEc9zoXxm4XzLNOcWPfHnc

Score
10/10
amadeyredline@redlinevip cloud (tg: @fatherofcarders)variant01discoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

Botnet

Variant01

C2

51.89.199.106:41383

Attributes
  • auth_value

    f9edc1d0874114c97679c32d442c2c61

Targets

    • Target

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • Size

      244KB

    • MD5

      529dd7d863272e41eb4e8319861ac846

    • SHA1

      3efb8f465ebcbfe0ea2b36aa4e0021f1c26a9a38

    • SHA256

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • SHA512

      89892f6afabbd558fc84787e2f2aee93ddf048997b343150ed9e0fe8c033236d8f0ac2c167685a48fa5dd686ba2f8a1394b02a875b6e3e3b7cc31e611c16d740

    • SSDEEP

      6144:wuTL+CSPjWEbvxm4XHLNOcWPfJnj7zIo3B2:wuT7SP/bvYE51WPfVjwIB2

    Score
    10/10
    amadeyredline@redlinevip cloud (tg: @fatherofcarders)variant01discoveryinfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks