General

  • Target

    59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212

  • Size

    187KB

  • Sample

    221124-yb8fgahe3x

  • MD5

    4208d016a5bf97452217a88d6667b61d

  • SHA1

    3b815ab9e7c714a17c5a8668aae8972abbe51aee

  • SHA256

    59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212

  • SHA512

    d30b805e981b90aaffcbe881034d3050508530f7401b1702a334b5bf44be285ad6f32ee2581519c90f1b797d5a51cd4dfa3f5c4e76af10e50c51effb6be8f759

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.65/o7VsjdSa2f/index.php

Extracted

Family

redline

Botnet

KRIPT

C2

212.8.246.157:32348

Attributes
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4

Targets

    • Target

      59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212

    • Size

      187KB

    • MD5

      4208d016a5bf97452217a88d6667b61d

    • SHA1

      3b815ab9e7c714a17c5a8668aae8972abbe51aee

    • SHA256

      59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212

    • SHA512

      d30b805e981b90aaffcbe881034d3050508530f7401b1702a334b5bf44be285ad6f32ee2581519c90f1b797d5a51cd4dfa3f5c4e76af10e50c51effb6be8f759

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

              Privilege Escalation