Overview

overview

10

Static

static

470138ea67...3e.exe

windows7-x64

10

470138ea67...3e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

  • Size

    184KB

  • Sample

    221123-z9x8tseg74

  • MD5

    3afaba6204537feec3fb7ba71ef18c51

  • SHA1

    1b26fa9dcf37086beadfd6a5ad637084aa5f0684

  • SHA256

    dbcd164e67c1f09f59e7d2ae995c4450bd46868bab11b5fe13beb3e9b40c92b4

  • SHA512

    e0b19080e341efc85d95f59cb62d2aa44eb3f8be71f1bc1ee8d1e649a554219395bdfc5b03114458a584cbc87a1fb2cebe218c8d8001c07aea995885d51a9080

  • SSDEEP

    3072:wu1hWsM8qyJ+SA8pBMvi1/nbUdrmd80ac92uO9i9bJRTE2TAZa24q4jTW6YI77CR:wqhWF8Apvep8Bc9JOkbzzWp4HW677CNn

Score
10/10
amadeynetwireredline@redlinevip cloud (tg: @fatherofcarders)botnetdiscoveryinfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

185.246.221.126/i4kvjd3xc/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Fs_Spread_0001

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

    • Size

      244KB

    • MD5

      0906eebf6f5fd1f9029e4bc6f81a636d

    • SHA1

      938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

    • SHA256

      470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

    • SHA512

      dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

    • SSDEEP

      6144:wuh1kLkzOqq8CW1V8Hcc9JOkbztWp4vW677CNZwVLL:wuh1kxqq8HrIDvHfCNW

    Score
    10/10
    amadeynetwireredline@redlinevip cloud (tg: @fatherofcarders)botnetdiscoveryinfostealerpersistenceratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks