General

  • Target

    880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

  • Size

    332KB

  • Sample

    221205-syetsace96

  • MD5

    31d0310cd3d6d5e2e7c51508c12b25dd

  • SHA1

    c19664c55ede5d5411d348fae4832823b7085086

  • SHA256

    880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

  • SHA512

    2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c

  • SSDEEP

    6144:2nthmabx7r/ALqcu8pPP0uJLnJ0Lf02sge2U:2ntYabx7kZdP0uJLnJWfPmd

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1015613582383259758/1018992777566097538/error.log.1

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

Wish

C2

31.41.244.14:4694

Attributes
  • auth_value

    836b5b05c28f01127949ef1e84b93e92

Extracted

Family

amadey

Version

3.10

C2

hellomr.observer/f8dfksdj3/index.php

researchersgokick.rocks/f8dfksdj3/index.php

pleasetake.pictures/f8dfksdj3/index.php

Targets

    • Target

      880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

    • Size

      332KB

    • MD5

      31d0310cd3d6d5e2e7c51508c12b25dd

    • SHA1

      c19664c55ede5d5411d348fae4832823b7085086

    • SHA256

      880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

    • SHA512

      2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c

    • SSDEEP

      6144:2nthmabx7r/ALqcu8pPP0uJLnJ0Lf02sge2U:2ntYabx7kZdP0uJLnJWfPmd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks