Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    233KB

  • Sample

    221125-njt8psdd67

  • MD5

    4149b7ced64c1cb7517446aab862ceed

  • SHA1

    aacbf47e0f15775f3c35b4c0cd39861534bb4559

  • SHA256

    5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288

  • SHA512

    cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170

  • SSDEEP

    6144:G5FBs/1/P03oPswvDwJwohllMN+bW3VCf:GzB+9P0YPsw7wxhjXbWlCf

Score
10/10
amadeyredline@redlinevip cloud (tg: @fatherofcarders)popsritchshitdiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

1h3art.me/i4kvjd3xc/index.php

Extracted

Family

redline

Botnet

pops

C2

31.41.244.14:4694

Attributes
  • auth_value

    c377eb074ac3f12f85b0ff38d543b16d

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

Botnet

ritchshit

C2

94.103.183.33:80

Attributes
  • auth_value

    98c1a18edcc6e04afa19a0ee3b16a6e2

Targets

    • Target

      file.exe

    • Size

      233KB

    • MD5

      4149b7ced64c1cb7517446aab862ceed

    • SHA1

      aacbf47e0f15775f3c35b4c0cd39861534bb4559

    • SHA256

      5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288

    • SHA512

      cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170

    • SSDEEP

      6144:G5FBs/1/P03oPswvDwJwohllMN+bW3VCf:GzB+9P0YPsw7wxhjXbWlCf

    Score
    10/10
    amadeyredline@redlinevip cloud (tg: @fatherofcarders)popsritchshitdiscoveryinfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks