Overview

overview

10

Static

static

10

c7c03c2d6a...8d.exe

windows7-x64

10

c7c03c2d6a...8d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

  • Size

    26KB

  • Sample

    221211-ecqr9sbb7z

  • MD5

    7c2a15bf34cf3bdea133966c8904fdfc

  • SHA1

    ecd293af1ef5116a6ffcb19dda0db4c63c13e8ab

  • SHA256

    bcb480ff6da33dbd3702dbb800fb86154f7143d7fd82a7c75da577152878a219

  • SHA512

    8a0a9a443f51609512786ed0ff9b97dce12e2e95fd25c77d77af022e6d4c30130f42b4a09bb1ef8b20598108d08859dbfacb780da5f2096f5ee06bd85ea81731

  • SSDEEP

    768:wrus7x3pLaXUTN88Dwq1/R7tigXQdNJzIrUGB:wrdx3p+W68b/Bt/XiY9

Score
10/10
amadeyredlinesmokeloadergoldbackdoordiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

GOLD

C2

45.138.16.105:30305

Attributes
  • auth_value

    4f782696884d580a958a158781386d86

Extracted

Family

amadey

Version

3.50

C2

1h3art.me/i4kvjd3xc/index.php

Targets

    • Target

      c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

    • Size

      29KB

    • MD5

      1496b98fe0530da47982105a87a69bce

    • SHA1

      00719a1b168c8baa3827a161326b157713f9a07a

    • SHA256

      c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

    • SHA512

      286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

    • SSDEEP

      768:en3FjOzFQjRuGjXi2nZFwn3SGTfMve9L0hPOZ:eaQ3Xi2ni3SKfMkLw

    Score
    10/10
    smokeloaderbackdoortrojanamadeyredlinegolddiscoveryinfostealerpersistencespywarestealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks