Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    235KB

  • Sample

    230119-e64afscb31

  • MD5

    77e0a0a90e0231493bd421f4cdab0668

  • SHA1

    b09f8951b42a2993b637df9e41f6a25be106c2cb

  • SHA256

    75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000

  • SHA512

    d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4

  • SSDEEP

    6144:FSfSsOzqs7nAV3QN2tW0J3SluVy3VYygXqgkX:hbN6J4uVy3V3ga

Score
10/10
amadeyredline1dzokey1111111microsoftdiscoveryinfostealerpersistencephishingspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.27/9djZdj09/index.php

Extracted

Family

redline

Botnet

1

C2

librchichelpai.shop:81

rniwondunuifac.shop:81
Attributes
  • auth_value

    b6c86adb7106e9ee7247628f59e06830

Extracted

Family

redline

Botnet

Dzokey1111111

C2

82.115.223.9:15486

Attributes
  • auth_value

    a46fd18e8e0de86d363c12c2307db5e9

Targets

    • Target

      tmp

    • Size

      235KB

    • MD5

      77e0a0a90e0231493bd421f4cdab0668

    • SHA1

      b09f8951b42a2993b637df9e41f6a25be106c2cb

    • SHA256

      75520c76a4051b2be15db8625f35d4c1c63d93686bf849e6fc67f4e62d2fd000

    • SHA512

      d6a1c3ebe00c5d236dccab9fe867c8a87dea2a71cf54900cfe47cacf0c1d7a8e2dfbe91b466cad318144976fce340ba6f5e5da9a5c0cae71c1666ba09e6510e4

    • SSDEEP

      6144:FSfSsOzqs7nAV3QN2tW0J3SluVy3VYygXqgkX:hbN6J4uVy3V3ga

    Score
    10/10
    amadeyredline1discoveryinfostealerspywarestealertrojandzokey1111111microsoftpersistencephishing

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks