General

  • Target

    fb75412ff8a9aeee8bfbc0fefd3b8b04.bin

  • Size

    671KB

  • Sample

    230216-cj7y1sfa2t

  • MD5

    968add83a160ec0339c1d94e071acc4d

  • SHA1

    413e0ee8180ff9fd0ab90200356817c0c5fff26c

  • SHA256

    75c22b6bd35f6a8f2861824280d22f924913e2d4e25727d356022c49bc4058a8

  • SHA512

    79aea836a3443e91bfa8bf339752ed0d59c656d7c9ba049e727758a5d04b5c4450db16bf0ad1d8ee8a7fdf1b46faca077e7c24c978d4562fe13e998f0ee738b3

  • SSDEEP

    12288:C8meJdl8k3Z7EYJL+n0V4A6c3BomqoHfOdeBc9KyUULAjvjWyiuZ+5P:seJdSkxEYV+n0V4A6cRomqUfOde8DDie

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5a9421183a033f283b2f23139b471f0

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Extracted

Family

redline

Botnet

ruma

C2

193.233.20.13:4136

Attributes
  • auth_value

    647d00dfaba082a4a30f383bca5d1a2a

Targets

    • Target

      e90640f76e8b7cb2dbb8a4b43c3bd8e45fd79ae419389c126ac4d2bbc4bf25df.exe

    • Size

      721KB

    • MD5

      fb75412ff8a9aeee8bfbc0fefd3b8b04

    • SHA1

      62fd49a9bd5b4ea6adf6ebdcd2bb4d9e0960b918

    • SHA256

      e90640f76e8b7cb2dbb8a4b43c3bd8e45fd79ae419389c126ac4d2bbc4bf25df

    • SHA512

      f4debd082c9e8b386fb7518adbbffc151ec8fab7928da0ebbd5dc01fb0cc1d5f5febc6a4c31670e1d2404eaa5275e3cfaef42a8567b662d773530a69d9870ba2

    • SSDEEP

      12288:OMrIy90f1CGOrFx1bXpIKuUXsiQIP5kFn4ymQjji8Ka50MzHLVPlcOei6:OyYCGeFx1lbuUGIP5pyRuhi0MlPnN6

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks