Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

  • Size

    235KB

  • Sample

    230115-17f27sgh9z

  • MD5

    9630e11f88c832c3c7a5da18ef9cc0ac

  • SHA1

    5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

  • SHA256

    2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

  • SHA512

    da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

  • SSDEEP

    6144:WfSsOzqs7nAV3QN2tW0J3SluVy3VYlSgXqgkX:jbN6J4uVy3VmSga

Score
10/10
amadeyauroraeternityredlinesocelars@redlinevip cloud (tg: @fatherofcarders)debrainstmcafeerebornzip👉 @noxycloud 💁‍♂️ @iamnoxy 🌎 https//noxy.cloudcollectiondiscoveryinfostealerpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.121/ZxhssZx/index.php

maximumpushtodaynotnowbut.com/Nmkn5d9Dn/index.php

motiontodaynotgogoodnowok.com/Nmkn5d9Dn/index.php

sogoodnowtodaynow.com/Nmkn5d9Dn/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

inst

C2

65.109.187.41:3042

Attributes
  • auth_value

    8ef99fdc075dae8e33613f12c3d304f4

Extracted

Family

redline

Botnet

debra

C2

62.204.41.211:4065

Attributes
  • auth_value

    24df232a5a333f96ae6fb8b270fed1ff

Extracted

Family

redline

Botnet

👉 @NoxyCloud 💁‍♂️ @iamNoxy 🌎 https//Noxy.Cloud

C2

4.231.221.86:2297

Attributes
  • auth_value

    fcb215e46d5515b2b3b57a444c048a08

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

redline

Botnet

McAfeeReborn

C2

5.183.78.73:80

Attributes
  • auth_value

    257d24de4129a3960d1527567c92e421

Extracted

Family

redline

Botnet

Zip

C2

116.203.68.191:37237

Attributes
  • auth_value

    71797667b72c92b6446cd686bd03795c

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/adwwe09/

Targets

    • Target

      2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

    • Size

      235KB

    • MD5

      9630e11f88c832c3c7a5da18ef9cc0ac

    • SHA1

      5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

    • SHA256

      2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

    • SHA512

      da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

    • SSDEEP

      6144:WfSsOzqs7nAV3QN2tW0J3SluVy3VYlSgXqgkX:jbN6J4uVy3VmSga

    Score
    10/10
    amadeyeternityredline@redlinevip cloud (tg: @fatherofcarders)debrainstcollectiondiscoveryinfostealerpersistencespywarestealertrojanvmprotectaurorasocelarsmcafeerebornzip👉 @noxycloud 💁‍♂️ @iamnoxy 🌎 https//noxy.cloud

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks