Overview

overview

10

Static

static

1

e164e19d2b...eb.exe

windows7-x64

10

e164e19d2b...eb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e164e19d2bb27b3ff481e864815edeeb

  • Size

    584KB

  • Sample

    230206-fech4acb37

  • MD5

    e164e19d2bb27b3ff481e864815edeeb

  • SHA1

    fe50a84707b7e7acdb948be4b7bc21ddbca1e268

  • SHA256

    1498389b39bb5db52d583bc40f9e021934d53bbf8b363809ca0d4e58f9ba30ef

  • SHA512

    a8cf5da96740f3e114e8ac7a2ce6a9ddf96b6c866c159f0989754bbc01dd9d4060352d4e9e4eb955683378913d3ff698bc7bc966af65d4632ca7a81a74f20bfb

  • SSDEEP

    12288:3MrQy90JI8V3ckvIrDZON7WoOufsodSlG4NV9XLE:DyMp3xArDguuk+r4NVlLE

Score
10/10
amadeyredlineringozaurdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

C2

8.9.31.171:21237

Attributes
  • auth_value

    a45e539240f6577c0a8f730c3eef20a1

Extracted

Family

redline

Botnet

zaur

C2

62.204.41.170:4172

Attributes
  • auth_value

    8f24dad16e6d64e3d692e48d05640734

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

ringo

C2

176.113.115.16:4122

Attributes
  • auth_value

    b8f864b25d84b5ed5591e4bfa647cdbe

Targets

    • Target

      e164e19d2bb27b3ff481e864815edeeb

    • Size

      584KB

    • MD5

      e164e19d2bb27b3ff481e864815edeeb

    • SHA1

      fe50a84707b7e7acdb948be4b7bc21ddbca1e268

    • SHA256

      1498389b39bb5db52d583bc40f9e021934d53bbf8b363809ca0d4e58f9ba30ef

    • SHA512

      a8cf5da96740f3e114e8ac7a2ce6a9ddf96b6c866c159f0989754bbc01dd9d4060352d4e9e4eb955683378913d3ff698bc7bc966af65d4632ca7a81a74f20bfb

    • SSDEEP

      12288:3MrQy90JI8V3ckvIrDZON7WoOufsodSlG4NV9XLE:DyMp3xArDguuk+r4NVlLE

    Score
    10/10
    amadeyredlineringozaurdiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks