General
-
Target
ca0a9eb1db5ed3d1b0a0b57e2b08ec68.bin
-
Size
639KB
-
Sample
230308-b8t8sadd97
-
MD5
2f94798a66b95200e2fc60b9eed69c08
-
SHA1
35746dc0f3a924e330dd30fd1a0ad9ed2fdc0066
-
SHA256
c065fd3f2bb044af08a7e09e768ad70d43e6aa076688241c14628ed38e4d5a63
-
SHA512
60b2b4d54407ab4f9d7c66def791e5e0f9e1c103a819a7c99cfa053b4ee90f347b9fd8c20e0a60803a97b414833bd70cc7dd5a81c16f0424e4b9c2e93b5f20dd
-
SSDEEP
12288:I8mCJPz8U1Eao3xCHnzj6lGait3VAmps6/tVsEA2ciYchX09:7JLjk4HzjUxCWFUzBiIg
Malware Config
Extracted
amadey
3.68
193.233.20.26/Do3m4Gor/index.php
Extracted
redline
fabio
193.233.20.27:4123
-
auth_value
56b82736c3f56b13be8e64c87d2cf9e5
Targets
-
-
Target
662c8d9273d5fd510fc528dd28d8ab78b5dcea95a08e76b49c240bb5aad24612.exe
-
Size
690KB
-
MD5
ca0a9eb1db5ed3d1b0a0b57e2b08ec68
-
SHA1
fa06339db9e00998f9954626c6899cca05ccb7e4
-
SHA256
662c8d9273d5fd510fc528dd28d8ab78b5dcea95a08e76b49c240bb5aad24612
-
SHA512
a705ae372e3fb41e3bf03ba115f3a6e91b01812fb814163371b4f3e4aa77c935df483553a3a36177c777694004699867fc3252be32924fec38636e4645117020
-
SSDEEP
12288:KMrly904cv16wl5ifE6rhJfjT8u5kiP3dfGMp30vY6h4K:Ly21rp6/3keXWvY6p
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-