Overview

overview

10

Static

static

c621995ef9...48.exe

windows7-x64

10

c621995ef9...48.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c621995ef999ddffd73a64495cbd1e1d06318f6a47c584fc5b25d5569327af48

  • Size

    184KB

  • Sample

    221123-xahmzshd3t

  • MD5

    d5a9a1579ad90d84128e4d0e9160b85c

  • SHA1

    86bc2ee002cf4b2b49b794c167326a5e22a36705

  • SHA256

    e26653599d5f664152d9e31276cadbc35bbf4ac84abeb1bb66124af2b8305ce9

  • SHA512

    737cd5d23c982d37d25466a882fa5fe4ab839639828b458ccba66f70e29d01a786fa0ef5875a1640c93f070945da356ee2681596b4ea349348d563cc33c1e66d

  • SSDEEP

    3072:tnL4RE732++cSlbOku/0P5yE42fmT1ngK4lE/FFPttJqLK//+7F0JNkPDHa:x4s3qxlCrE5WTJgKqEN9tLqLoUQk7Ha

Score
10/10
amadeyredline@redlinevip cloud (tg: @fatherofcarders)variant01discoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

Botnet

Variant01

C2

51.89.199.106:41383

Attributes
  • auth_value

    f9edc1d0874114c97679c32d442c2c61

Targets

    • Target

      c621995ef999ddffd73a64495cbd1e1d06318f6a47c584fc5b25d5569327af48

    • Size

      244KB

    • MD5

      1a02333a68627b713ff9509041748b0b

    • SHA1

      a7cf4ab401588dd9b54b891e3acb7507543feab9

    • SHA256

      c621995ef999ddffd73a64495cbd1e1d06318f6a47c584fc5b25d5569327af48

    • SHA512

      ea8827e5ab7feb952b13a4be11c6b80e4719f657c8f27b0b2c13269665045d64a4ade4661da08fd86eedced0abd9b3e99bbd92a3ad2a92dc039503893b1aadd5

    • SSDEEP

      3072:5GkpuBFYSLE+wWRco5BQlMIdK4lE/FRPttJqLKF/+7F0JNkPZWF1hU:0k2LE+wi8lMkKqENxtLqL8UQkhW/hU

    Score
    10/10
    amadeyredline@redlinevip cloud (tg: @fatherofcarders)variant01discoveryinfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks