General
-
Target
2b89b0313a1d0a4e65bfb1473359484b.exe
-
Size
1.0MB
-
Sample
230221-23dlysgh88
-
MD5
2b89b0313a1d0a4e65bfb1473359484b
-
SHA1
a0f14ba607856a9ca814290a4a72259cbb1d753b
-
SHA256
988881d6b5554563391986f4cc019b18e36274597fdb3bd54ef7c5603a516bdf
-
SHA512
7e0097b4188b8cbf03861b7cd17823ca22225552c49774d29b84c942d06374336a22c68fb62c3ba6c46fa978bd97b8238a19a56695609914f199fd5bbc1ceef4
-
SSDEEP
24576:Hyv5Q9s+UGZ/nLIyaeCu+MJ6ZB9vJHNBtyWG7Bo9:Sv5ANUGZ/nLjamKB9vJHNLyWGN
Malware Config
Extracted
redline
85.31.44.66:17742
-
auth_value
e9a89e5b72a729171b1655add99ee280
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Extracted
redline
funka
193.233.20.20:4134
-
auth_value
cdb395608d7ec633dce3d2f0c7fb0741
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
redline
kk1
176.113.115.17:4132
-
auth_value
df169d3f7f631272f7c6bd9a1bb603c3
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
kk1n
176.113.115.17:4132
-
auth_value
7cc0dba66fd38fdcaf3bf43899aeaf59
Targets
-
-
Target
2b89b0313a1d0a4e65bfb1473359484b.exe
-
Size
1.0MB
-
MD5
2b89b0313a1d0a4e65bfb1473359484b
-
SHA1
a0f14ba607856a9ca814290a4a72259cbb1d753b
-
SHA256
988881d6b5554563391986f4cc019b18e36274597fdb3bd54ef7c5603a516bdf
-
SHA512
7e0097b4188b8cbf03861b7cd17823ca22225552c49774d29b84c942d06374336a22c68fb62c3ba6c46fa978bd97b8238a19a56695609914f199fd5bbc1ceef4
-
SSDEEP
24576:Hyv5Q9s+UGZ/nLIyaeCu+MJ6ZB9vJHNBtyWG7Bo9:Sv5ANUGZ/nLjamKB9vJHNLyWGN
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect rhadamanthys stealer shellcode
-
Detects PseudoManuscrypt payload
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Install Root Certificate
1Modify Registry
4Scripting
1Virtualization/Sandbox Evasion
4