General

  • Target

    5c2e8c0b5eccd20ec197dcf43b8c7b73c159464f39fb44668c5980002a47f354

  • Size

    689KB

  • Sample

    230317-s847esba3t

  • MD5

    fffac7f17a8900a4da4d2c1e2e4a49e1

  • SHA1

    8048354a7ac60429efb08a5217f0c7f5d84d2cbd

  • SHA256

    5c2e8c0b5eccd20ec197dcf43b8c7b73c159464f39fb44668c5980002a47f354

  • SHA512

    ebaa3c78a5ec812897942d29381d49c75bf164ab487d405970368195697f015d568e245f4fc294de2aba7c1d107091e18ff9d38cdc210c95f13af2a6e9596275

  • SSDEEP

    12288:CMrjy90d71CXV/RTpYo2IzY35LRHG70I9Trt7nhzLXM7YstXx:VyE71kVlpYojzYlRHGgI9Fukslx

Malware Config

Extracted

Family

redline

Botnet

lint

C2

193.233.20.28:4125

Attributes
  • auth_value

    0e95262fb78243c67430f3148303e5b7

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

redline

Botnet

rockins

C2

46.3.197.223:44446

Attributes
  • auth_value

    e36e02733016977bec980781774c6ef4

Targets

    • Target

      5c2e8c0b5eccd20ec197dcf43b8c7b73c159464f39fb44668c5980002a47f354

    • Size

      689KB

    • MD5

      fffac7f17a8900a4da4d2c1e2e4a49e1

    • SHA1

      8048354a7ac60429efb08a5217f0c7f5d84d2cbd

    • SHA256

      5c2e8c0b5eccd20ec197dcf43b8c7b73c159464f39fb44668c5980002a47f354

    • SHA512

      ebaa3c78a5ec812897942d29381d49c75bf164ab487d405970368195697f015d568e245f4fc294de2aba7c1d107091e18ff9d38cdc210c95f13af2a6e9596275

    • SSDEEP

      12288:CMrjy90d71CXV/RTpYo2IzY35LRHG70I9Trt7nhzLXM7YstXx:VyE71kVlpYojzYlRHGgI9Fukslx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks