General

  • Target

    2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

  • Size

    246KB

  • Sample

    230117-17d8lsha86

  • MD5

    54d77d83a9d14719645848a53a9295a6

  • SHA1

    4e04bb8cd980f568df05b92a894b50cb1f5258b4

  • SHA256

    2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

  • SHA512

    9ea89676aa993b0def9be6870bea7452ea38e0781e561b8484488a91705e9f1fbaee048ed7a7826f782e6f418708151cf9ac96184fc18771764fe97d2918ce9c

  • SSDEEP

    6144:eNN2mv+MgDd73GA1NXZn6zlvKoWFu7u1yikKQXvR:qrgZDGABWl5W6u1y9

Malware Config

Extracted

Family

amadey

Version

3.65

C2

193.42.33.28/8bmdh3Slb2/index.php

Extracted

Family

redline

C2

37.220.87.13:48790

Attributes
  • auth_value

    e2664b77009718757d7b3fb32274f6f6

Extracted

Family

aurora

C2

37.220.87.13:8081

Targets

    • Target

      2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

    • Size

      246KB

    • MD5

      54d77d83a9d14719645848a53a9295a6

    • SHA1

      4e04bb8cd980f568df05b92a894b50cb1f5258b4

    • SHA256

      2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

    • SHA512

      9ea89676aa993b0def9be6870bea7452ea38e0781e561b8484488a91705e9f1fbaee048ed7a7826f782e6f418708151cf9ac96184fc18771764fe97d2918ce9c

    • SSDEEP

      6144:eNN2mv+MgDd73GA1NXZn6zlvKoWFu7u1yikKQXvR:qrgZDGABWl5W6u1y9

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks