Overview

overview

10

Static

static

1

3ef01ee791...09.exe

windows7-x64

10

3ef01ee791...09.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8d082c523f28ce7df55a1439077c0f8d.bin

  • Size

    921KB

  • Sample

    230224-bxcjlabf9y

  • MD5

    d44733b7f5f89c20fd78a8c0570e21ab

  • SHA1

    0ea560ab0cd1d8e164783db48922634a58399158

  • SHA256

    7d0fc0328219e4026d50ed9e86d9b138d5e55e24ab364461f68426e69eda0190

  • SHA512

    0228de71a8fc80d4669ead62a3ca7a4fb201cd7d409805b049d59d986d659ce53411177d034d982dc8fd79a985f1f4dea4caec839b148376f532a21286805e4f

  • SSDEEP

    24576:05DEDlOeoCkepiPWWjMaTi0NRgRjqc1mf:05oOVlTIR2x

Score
10/10
amadeyredlinefunkahackronurthomasdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Extracted

Family

redline

Botnet

funka

C2

193.233.20.20:4134

Attributes
  • auth_value

    cdb395608d7ec633dce3d2f0c7fb0741

Extracted

Family

amadey

Version

3.67

C2

193.233.20.15/dF30Hn4m/index.php

Extracted

Family

amadey

Version

3.66

C2

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

amadey

Version

3.65

C2

hellomr.observer/7gjD0Vs3d/index.php

researchersgokick.rocks/7gjD0Vs3d/index.php

pleasetake.pictures/7gjD0Vs3d/index.php

Extracted

Family

redline

Botnet

Hack

C2

154.17.165.178:10377

Attributes
  • auth_value

    50233687e98ee274b44a32fcc741f9a4

Extracted

Family

redline

Botnet

Thomas

C2

107.189.165.102:1919

Attributes
  • auth_value

    1a3e158dd21f084bceada6f65fc00a1c

Targets

    • Target

      3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909.exe

    • Size

      972KB

    • MD5

      8d082c523f28ce7df55a1439077c0f8d

    • SHA1

      1088c92c7a11b0d41d73e051fef4b492a8f542cf

    • SHA256

      3ef01ee791869b832e357a076b68bd9171040c88be601911cfbdd6782ab00909

    • SHA512

      5cbcd262831d05fb0700e8ddc659e9ba594089ef94a38e8d3c6ab5c85a6c84bc38b96e9260fb5f2d3d88b0180f8da0544a3b709f32ddb8ed934e63787f706950

    • SSDEEP

      24576:KyC9O/uW3a2YECOy1Rheqt3bpsCXG6fubLG4ahBI8Awq27C2bbf:RqUuQa2YE9y16qpbplXGy4UzAwq8Ci

    Score
    10/10
    amadeyredlinefunkahackronurthomasdiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks