General

  • Target

    1f2a80d5d23e63f348c5aaa589f2c004235e1fb6298caf91d1b25773381a8d58

  • Size

    331KB

  • Sample

    221206-ewdbaacd3z

  • MD5

    bcbc4a4faf06b1fa399e2107b6869b22

  • SHA1

    1b96550abad623743c7e44c5116fda8388b8fcff

  • SHA256

    1f2a80d5d23e63f348c5aaa589f2c004235e1fb6298caf91d1b25773381a8d58

  • SHA512

    a8ec68e651fbec2fc2c52118c55eabb7e23bc0da4ba5b8f7cd321d34f4cb2be4fc770d0856117140c553238e341edb5b7f12c1c881fcfb73fc63a879d24083a2

  • SSDEEP

    6144:0BCHhF1mmfgV8praPlIb9TbuaiIDcZpHVS:0BCBFHtpraPliTS2DcPHVS

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

7777777

C2

185.106.92.214:2510

Attributes
  • auth_value

    963a3fad67ade8410f4a236f4101f611

Extracted

Family

redline

Botnet

wosh

C2

31.41.244.14:4683

Attributes
  • auth_value

    f0ec85e2aaa9e62929e2fb9e09d843f4

Targets

    • Target

      1f2a80d5d23e63f348c5aaa589f2c004235e1fb6298caf91d1b25773381a8d58

    • Size

      331KB

    • MD5

      bcbc4a4faf06b1fa399e2107b6869b22

    • SHA1

      1b96550abad623743c7e44c5116fda8388b8fcff

    • SHA256

      1f2a80d5d23e63f348c5aaa589f2c004235e1fb6298caf91d1b25773381a8d58

    • SHA512

      a8ec68e651fbec2fc2c52118c55eabb7e23bc0da4ba5b8f7cd321d34f4cb2be4fc770d0856117140c553238e341edb5b7f12c1c881fcfb73fc63a879d24083a2

    • SSDEEP

      6144:0BCHhF1mmfgV8praPlIb9TbuaiIDcZpHVS:0BCBFHtpraPliTS2DcPHVS

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks