Overview

overview

10

Static

static

1

c089b46a8b...ef.exe

windows7-x64

10

c089b46a8b...ef.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    45d775640bd473f24b31f067d113bc20.bin

  • Size

    1.1MB

  • Sample

    230212-bn62vahh76

  • MD5

    8a844258742351e1308499d4fadd97e5

  • SHA1

    01ffe8a5cbfd1ed568472dcafbf23c2007557996

  • SHA256

    8510632b097594451ce49c279136dcc9a9fdcc13ed66f109b7a75f6ad04aec60

  • SHA512

    58d0f20e0c29acc86f390ed1c35903504bd650a2d09141373bdbf4e9d411b631b51aecf7a54674cb4069ee4df4f48d56269882c10f2ffffeda37d821e8c83a10

  • SSDEEP

    24576:JOPtnu1s+Zpm1uD8Wwp8XrdJ7yLrOfI5MBQ1FfVp/qI7br5/gN844CaHOvyBq8Hr:IxglDJceXqrOQ4ApblCaH6yQ8J+STJD

Score
10/10
amadeyredlinedunmromikdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes
  • auth_value

    352959e3707029296ec94306d74e2334

Extracted

Family

redline

Botnet

romik

C2

193.233.20.12:4132

Attributes
  • auth_value

    8fb78d2889ba0ca42678b59b884e88ff

Targets

    • Target

      c089b46a8b4f99a363b65124cb133575e414577e0b3becb0c67f930922dccdef.exe

    • Size

      1.1MB

    • MD5

      45d775640bd473f24b31f067d113bc20

    • SHA1

      5c7a2c23fe37b36468d360afacda7949ae29c044

    • SHA256

      c089b46a8b4f99a363b65124cb133575e414577e0b3becb0c67f930922dccdef

    • SHA512

      43f89288d6c5b187b04d02fabb0fa9085f4771cb826cd5586eb78b8f9bb8fefb7c4592054408004551fdf1e0514df6af68a4b33d27549b1b7622a19902f8db00

    • SSDEEP

      24576:vyu+UNfAp3WchPZPOPnnW5hpa1Gi9RzGN9:6wtU3WoZPOPgY9U

    Score
    10/10
    amadeyredlinedunmromikdiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks