General

  • Target

    75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000

  • Size

    107KB

  • Sample

    230116-nwj89sac6v

  • MD5

    ef682e7e7493f49e878955238c1f8548

  • SHA1

    7daa4141036c73e92046fabe99a6e09c9c94ecd1

  • SHA256

    0833f46bb63961a8f18cc5520fbc4b6741e9a76ed2ac5955ffbba3169af9ddfc

  • SHA512

    5853af78e25b83859398255362c7d4ca27063e5bf2199b294aaf43e0c9ac0259f297330f4b03f3746214c794a74dcf0e22e9ce880d680dc93ac18afe3f544525

  • SSDEEP

    3072:s23m64YF6H//7X8UlqHEm6S9cpeAFNgvZBjPH:d3P3F6bcHnVjPH

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.27/9djZdj09/index.php

Extracted

Family

redline

Botnet

gula

C2

62.204.41.211:4065

Attributes
  • auth_value

    4bef3143c3de8ce351d43c906a88fb8a

Extracted

Family

redline

Botnet

1

C2

librchichelpai.shop:81

rniwondunuifac.shop:81

Attributes
  • auth_value

    b6c86adb7106e9ee7247628f59e06830

Extracted

Family

redline

Botnet

debra

C2

62.204.41.211:4065

Attributes
  • auth_value

    24df232a5a333f96ae6fb8b270fed1ff

Extracted

Family

redline

Botnet

1111223333

C2

82.115.223.9:15486

Attributes
  • auth_value

    64ab100c5a9f497dd18f093d7dc8818c

Targets

    • Target

      75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000

    • Size

      235KB

    • MD5

      77e0a0a90e0231493bd421f4cdab0668

    • SHA1

      b09f8951b42a2993b637df9e41f6a25be106c2cb

    • SHA256

      75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000

    • SHA512

      d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4

    • SSDEEP

      6144:FSfSsOzqs7nAV3QN2tW0J3SluVy3VYygXqgkX:hbN6J4uVy3V3ga

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Registers COM server for autorun

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks