Overview

overview

10

Static

static

10

065ee41f9a...78.exe

windows7-x64

10

065ee41f9a...78.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    065ee41f9a4f66bd96f0448d68cc4178.exe

  • Size

    241KB

  • Sample

    221203-rvpzxacf9y

  • MD5

    065ee41f9a4f66bd96f0448d68cc4178

  • SHA1

    12cfe42b86f2f050cb40f75cd1bd1b1832e6aea7

  • SHA256

    be91543d87f31d5bab7129c8bc63646ccc7c6aacabfa527ef4642a386145334c

  • SHA512

    f97a7d052e9d6cf0c7383b9961d17c85220245794819d06f6d6593ff3f05ad91a88112799890fc851d699517653e8ae807c2f9a025bbfa33465aa91771c632f7

  • SSDEEP

    6144:QuipnySnYTepzkqldDIM4z9ujpdD5LGS:QbVlmM+ujpdDAS

Score
10/10
amadeyredlinelegenew2811shablatestcollectiondiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

Lege

C2

31.41.244.14:4694

Attributes
  • auth_value

    096090aaf3ba0872338140cec5689868

Extracted

Family

redline

Botnet

new2811

C2

jamesmillion.xyz:15772

Attributes
  • auth_value

    86a08d2c48d5c5db0c9cb371fb180937

Extracted

Family

redline

Botnet

shablatest

C2

217.61.106.31:6892

Attributes
  • auth_value

    3c2dbfc14cb1ebc179ad72cbe24dbd3d

Targets

    • Target

      065ee41f9a4f66bd96f0448d68cc4178.exe

    • Size

      241KB

    • MD5

      065ee41f9a4f66bd96f0448d68cc4178

    • SHA1

      12cfe42b86f2f050cb40f75cd1bd1b1832e6aea7

    • SHA256

      be91543d87f31d5bab7129c8bc63646ccc7c6aacabfa527ef4642a386145334c

    • SHA512

      f97a7d052e9d6cf0c7383b9961d17c85220245794819d06f6d6593ff3f05ad91a88112799890fc851d699517653e8ae807c2f9a025bbfa33465aa91771c632f7

    • SSDEEP

      6144:QuipnySnYTepzkqldDIM4z9ujpdD5LGS:QbVlmM+ujpdDAS

    Score
    10/10
    amadeyredlinelegenew2811shablatestcollectiondiscoveryinfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks