General
-
Target
59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212
-
Size
187KB
-
Sample
221124-yb8fgahe3x
-
MD5
4208d016a5bf97452217a88d6667b61d
-
SHA1
3b815ab9e7c714a17c5a8668aae8972abbe51aee
-
SHA256
59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212
-
SHA512
d30b805e981b90aaffcbe881034d3050508530f7401b1702a334b5bf44be285ad6f32ee2581519c90f1b797d5a51cd4dfa3f5c4e76af10e50c51effb6be8f759
-
SSDEEP
3072:cs2zBlK4xlBRTYvLJ8Q210mkl5bjrizb8l6CNWmRTPSrAy:mzHcL2Q2d0OzEF5PSr
Malware Config
Extracted
amadey
3.50
77.73.134.65/o7VsjdSa2f/index.php
Extracted
redline
KRIPT
212.8.246.157:32348
-
auth_value
80ebe4bab7a98a7ce9c75989ff9f40b4
Targets
-
-
Target
59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212
-
Size
187KB
-
MD5
4208d016a5bf97452217a88d6667b61d
-
SHA1
3b815ab9e7c714a17c5a8668aae8972abbe51aee
-
SHA256
59213ee608a0e6d9e9ee16a78773560ba024e9e94b587dce6ab488fea45eb212
-
SHA512
d30b805e981b90aaffcbe881034d3050508530f7401b1702a334b5bf44be285ad6f32ee2581519c90f1b797d5a51cd4dfa3f5c4e76af10e50c51effb6be8f759
-
SSDEEP
3072:cs2zBlK4xlBRTYvLJ8Q210mkl5bjrizb8l6CNWmRTPSrAy:mzHcL2Q2d0OzEF5PSr
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-