General

  • Target

    file.exe

  • Size

    359KB

  • Sample

    221206-gd1pzahf84

  • MD5

    6b9df39ff3bc394a9aa4ca61ed44c281

  • SHA1

    0493642d0e978c91463716a6e2a0ac2efe4f4bef

  • SHA256

    f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16

  • SHA512

    a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327

  • SSDEEP

    6144:G9X5jyr2LSFHl90ezQ5louvgclYgHq50TScoCF:G9XVyyeFHl901TnHq52FxF

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

7777777

C2

185.106.92.214:2510

Attributes
  • auth_value

    963a3fad67ade8410f4a236f4101f611

Targets

    • Target

      file.exe

    • Size

      359KB

    • MD5

      6b9df39ff3bc394a9aa4ca61ed44c281

    • SHA1

      0493642d0e978c91463716a6e2a0ac2efe4f4bef

    • SHA256

      f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16

    • SHA512

      a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327

    • SSDEEP

      6144:G9X5jyr2LSFHl90ezQ5louvgclYgHq50TScoCF:G9XVyyeFHl901TnHq52FxF

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks