Overview

overview

10

Static

static

10

d4cb3f4a55...d2.exe

windows10-2004-x64

10

Resubmissions

09/01/2023, 12:57

230109-p64akahf8s 10

09/01/2023, 12:53

230109-p41rnahf7v 10

09/01/2023, 09:46

230109-lrmgqadg47 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe

  • Size

    235KB

  • Sample

    230109-p41rnahf7v

  • MD5

    ddfa4b4f9123e72e7b86f10cdd994a83

  • SHA1

    5efe2f2980c2fbb50d8f44271037293402667737

  • SHA256

    d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

  • SHA512

    0988ef4bb20ef54e7a8457241c4c207998c49c4664d83895e85d0359098e8c2337b6e31a2cce966516c91182604c8fc04d605c83340a569ea9fe77d7ddc71f9a

  • SSDEEP

    6144:KbxUDsiH4X/Et6xXQ31UrhfSK6uVyWVYVtGgUO:KbQOXUghSuVyWVE7

Score
10/10
amadeyredlinevidar1817@redlinevip cloud (tg: @fatherofcarders)naskopro1001shuramicrosoftcollectiondiscoveryevasioninfostealerpersistencephishingspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

C2

62.204.41.32/8bmdh3Slb2/index.php

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Language
hta
Source
URLs
hta.dropper

https://ciadecompras.com/stubs/Encoding.txt

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ciadecompras.com/stubs/Disable.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ciadecompras.com/SilverClient.exe

Extracted

Family

redline

Botnet

shura

C2

62.204.41.211:4065

Attributes
  • auth_value

    2f02f1c9ca2536317ad1d99107fe7cf1

Extracted

Family

redline

Botnet

Naskopro1001

C2

82.115.223.15:15486

Attributes
  • auth_value

    2758e9c533872760f08a9c6118f6721e

Extracted

Family

amadey

Version

3.63

C2

62.204.41.91/8kcnjd3da3/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

vidar

Version

1.8

Botnet

817

C2

https://t.me/year2023start

https://steamcommunity.com/profiles/76561199467421923
Attributes
  • profile_id

    817

Extracted

Family

redline

Botnet

1

C2

80.66.87.22:80

Attributes
  • auth_value

    988640d4b8a8e5204910f6d6a0e74af3

Targets

    • Target

      d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe

    • Size

      235KB

    • MD5

      ddfa4b4f9123e72e7b86f10cdd994a83

    • SHA1

      5efe2f2980c2fbb50d8f44271037293402667737

    • SHA256

      d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

    • SHA512

      0988ef4bb20ef54e7a8457241c4c207998c49c4664d83895e85d0359098e8c2337b6e31a2cce966516c91182604c8fc04d605c83340a569ea9fe77d7ddc71f9a

    • SSDEEP

      6144:KbxUDsiH4X/Et6xXQ31UrhfSK6uVyWVYVtGgUO:KbQOXUghSuVyWVE7

    Score
    10/10
    amadeyredlinevidar1817@redlinevip cloud (tg: @fatherofcarders)naskopro1001shuramicrosoftcollectiondiscoveryevasioninfostealerpersistencephishingspywarestealertrojanupxvmprotect

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Detected phishing page

      phishing

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks