Overview

overview

10

Static

static

10

2c25b70f08...c4.exe

windows7-x64

10

2c25b70f08...c4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe

  • Size

    235KB

  • Sample

    230119-cp5qvahf2w

  • MD5

    9630e11f88c832c3c7a5da18ef9cc0ac

  • SHA1

    5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

  • SHA256

    2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

  • SHA512

    da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

  • SSDEEP

    6144:WfSsOzqs7nAV3QN2tW0J3SluVy3VYlSgXqgkX:jbN6J4uVy3VmSga

Score
10/10
amadeyeternityraccoonredlinesocelarsxworm571391c08bcfc49c97149aeb137899e0@dridexxsupport ( http://t.me/dridexxhackingtutorials )@redlinevip cloud (tg: @fatherofcarders)antivirusnesteredlinvertucollectiondiscoveryinfostealerpersistenceransomwareratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.121/ZxhssZx/index.php

maximumpushtodaynotnowbut.com/Nmkn5d9Dn/index.php

motiontodaynotgogoodnowok.com/Nmkn5d9Dn/index.php

sogoodnowtodaynow.com/Nmkn5d9Dn/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

vertu

C2

62.204.41.159:4062

Attributes
  • auth_value

    fcf83997f362e2cd45c3f3c30912dd41

Extracted

Family

redline

C2

193.47.61.243:80

45.88.67.20:80

91.107.159.152:33685
Attributes
  • auth_value

    e74a083712b9749c612d5e31999699a4

Extracted

Family

raccoon

Botnet

571391c08bcfc49c97149aeb137899e0

C2

http://185.180.199.215

rc4.plain

Extracted

Family

redline

Botnet

@DridexxSupport ( http://t.me/DridexxHackingTutorials )

C2

154.7.253.146:40762

Attributes
  • auth_value

    ee07f3e6fb42718b666e27fe7bb35986

Extracted

Family

redline

Botnet

neste

C2

62.204.41.159:4062

Attributes
  • auth_value

    b9733936e1c2ee57c3c48278ce732dbb

Extracted

Family

redline

Botnet

AntiVirus

C2

154.26.155.71:36391

Attributes
  • auth_value

    77a997dcfe99feabe45f3def68d1d395

Extracted

Family

redline

Botnet

redlin

C2

45.88.67.183:7304

Attributes
  • auth_value

    ec5a5f136c323a39d744feb362ef434a

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

193.42.33.28/8bmdh3Slb2/index.php

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sdfeas18/

Extracted

Family

xworm

C2

sym.publicvm.com:6364

Mutex

Md5qBUoAJSZHv3e3

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe

    • Size

      235KB

    • MD5

      9630e11f88c832c3c7a5da18ef9cc0ac

    • SHA1

      5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

    • SHA256

      2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

    • SHA512

      da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

    • SSDEEP

      6144:WfSsOzqs7nAV3QN2tW0J3SluVy3VYlSgXqgkX:jbN6J4uVy3VmSga

    Score
    10/10
    amadeyeternityraccoonredline571391c08bcfc49c97149aeb137899e0@dridexxsupport ( http://t.me/dridexxhackingtutorials )@redlinevip cloud (tg: @fatherofcarders)antivirusnesteredlinvertucollectiondiscoveryinfostealerpersistenceransomwarespywarestealertrojansocelarsxwormratvmprotect

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks