General

  • Target

    ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

  • Size

    235KB

  • Sample

    230123-xel6zagc8w

  • MD5

    ebd584e9c1a400cd5d4bafa0e7936468

  • SHA1

    d263c62902326425ed17855d49d35003abcd797b

  • SHA256

    ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

  • SHA512

    e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

  • SSDEEP

    6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

nonem

C2

62.204.41.159:4062

Attributes
  • auth_value

    e6c5903bd2c2eaaf10cbbfd1fb675712

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

amadey

Version

3.65

C2

hellomr.observer/7gjD0Vs3d/index.php

researchersgokick.rocks/7gjD0Vs3d/index.php

pleasetake.pictures/7gjD0Vs3d/index.php

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

redline

Botnet

Rocket_20230123

C2

179.43.175.174:80

Attributes
  • auth_value

    307bf00a3589fb6a8838abfdfa21b790

Extracted

Family

aurora

C2

85.209.135.29:8081

Targets

    • Target

      ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

    • Size

      235KB

    • MD5

      ebd584e9c1a400cd5d4bafa0e7936468

    • SHA1

      d263c62902326425ed17855d49d35003abcd797b

    • SHA256

      ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

    • SHA512

      e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

    • SSDEEP

      6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks