Overview

overview

10

Static

static

3cf6f5f638...a7.exe

windows7-x64

10

3cf6f5f638...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

  • Size

    184KB

  • Sample

    221123-y6h43aca54

  • MD5

    745ab96229559ac6ac795abd9c187dc8

  • SHA1

    09063335c742542a09942eb7a571a89c9589464d

  • SHA256

    3b80fa2b154e80fb2ff7bb1e9f901005f7e7dff5bd98c84562ec2857366ad825

  • SHA512

    772702acba457daec9adfa243b3682996fad288e8455ad5d1318e706f1beff39f3d462132a9ce73cf4278179786a255341e16bfe5ed7155261f5dffa6a601e9d

  • SSDEEP

    3072:MQaYecJc+mkE2nNWEcmqzGJXxggE/426iYnzLW4OcG5dRfHnjt57gEIXR/Fs:MQaYNmkJnNWEc9zoXxm4XzLNOcWPfHnp

Score
10/10
amadeynetwireredline@redlinevip cloud (tg: @fatherofcarders)novrvariant01botnetcollectiondiscoveryinfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

185.246.221.126/i4kvjd3xc/index.php

Extracted

Family

redline

Botnet

novr

C2

31.41.244.14:4694

Attributes
  • auth_value

    34ddf4eb9326256f20a48cd5f1e9b496

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

Botnet

Variant01

C2

51.89.199.106:41383

Attributes
  • auth_value

    f9edc1d0874114c97679c32d442c2c61

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Fs_Spread_0001

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • Size

      244KB

    • MD5

      529dd7d863272e41eb4e8319861ac846

    • SHA1

      3efb8f465ebcbfe0ea2b36aa4e0021f1c26a9a38

    • SHA256

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • SHA512

      89892f6afabbd558fc84787e2f2aee93ddf048997b343150ed9e0fe8c033236d8f0ac2c167685a48fa5dd686ba2f8a1394b02a875b6e3e3b7cc31e611c16d740

    • SSDEEP

      6144:wuTL+CSPjWEbvxm4XHLNOcWPfJnj7zIo3B2:wuT7SP/bvYE51WPfVjwIB2

    Score
    10/10
    amadeynetwireredline@redlinevip cloud (tg: @fatherofcarders)novrvariant01botnetcollectiondiscoveryinfostealerpersistenceratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks