Resubmissions

21-02-2023 00:04

230221-aclfbsda84 10

21-02-2023 00:00

230221-aajtqada77 10

General

  • Target

    4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed

  • Size

    1.1MB

  • Sample

    230221-aajtqada77

  • MD5

    6aa87cec8a0369c3e1e66b4183cb6fee

  • SHA1

    a53c5c47323e84d2955a785c33a815abaa05906d

  • SHA256

    4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed

  • SHA512

    e842e068e07ab21c038f26c87a83c23de09230af396323e67b3d6fb4d176d7dcb6af5b8a7d947c7b4287a986044792060e564b094aa1c39917b6d46fe5577a48

  • SSDEEP

    24576:cynKpJUWBTz435ag2SHqjCyVwLNl4TrOG6KaF2vJfvnl2dCjYxXrXiSq:LnKp+WBTz4aSG9iL7saL/2vJV1ErSS

Malware Config

Extracted

Family

redline

Botnet

ronam

C2

193.233.20.17:4139

Attributes
  • auth_value

    125421d19d14dd7fd211bc7f6d4aea6c

Extracted

Family

redline

Botnet

fucna

C2

193.233.20.17:4139

Attributes
  • auth_value

    16ab0f6ba753ccbeb028722745cf846f

Extracted

Family

amadey

Version

3.67

C2

193.233.20.15/dF30Hn4m/index.php

Extracted

Family

redline

Botnet

kk1

C2

176.113.115.17:4132

Attributes
  • auth_value

    df169d3f7f631272f7c6bd9a1bb603c3

Targets

    • Target

      4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed

    • Size

      1.1MB

    • MD5

      6aa87cec8a0369c3e1e66b4183cb6fee

    • SHA1

      a53c5c47323e84d2955a785c33a815abaa05906d

    • SHA256

      4d324da16097a8601f541812aebd0b5538a26324f604083dab3c2149286e27ed

    • SHA512

      e842e068e07ab21c038f26c87a83c23de09230af396323e67b3d6fb4d176d7dcb6af5b8a7d947c7b4287a986044792060e564b094aa1c39917b6d46fe5577a48

    • SSDEEP

      24576:cynKpJUWBTz435ag2SHqjCyVwLNl4TrOG6KaF2vJfvnl2dCjYxXrXiSq:LnKp+WBTz4aSG9iL7saL/2vJV1ErSS

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks