General

  • Target

    b055d76652d288078906399490491a8a13f6cf38821e1a459116f6b5cdf59818

  • Size

    688KB

  • Sample

    230317-tsga4abb3t

  • MD5

    3c8804a0414af4ab15e47f17d89b49da

  • SHA1

    28652e592f31ecbac26f5539827e017cdac48ef6

  • SHA256

    b055d76652d288078906399490491a8a13f6cf38821e1a459116f6b5cdf59818

  • SHA512

    8628657b3d220783a9e383d45bcd83ce65f1bdcfeae00db79277f22c4a7440f478514a435fac6c9895d5238c298d74998eac54d793ec2cfa8cdcb33a995f6d9d

  • SSDEEP

    12288:FMrHy90ihkPtIA8vX7VWW3rsXZNRsPHKcEWf7K4BEXE4:+yAPF8vXZWWYNRsvVEW4

Malware Config

Extracted

Family

redline

Botnet

lint

C2

193.233.20.28:4125

Attributes
  • auth_value

    0e95262fb78243c67430f3148303e5b7

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

redline

Botnet

rockins

C2

46.3.197.223:44446

Attributes
  • auth_value

    e36e02733016977bec980781774c6ef4

Targets

    • Target

      b055d76652d288078906399490491a8a13f6cf38821e1a459116f6b5cdf59818

    • Size

      688KB

    • MD5

      3c8804a0414af4ab15e47f17d89b49da

    • SHA1

      28652e592f31ecbac26f5539827e017cdac48ef6

    • SHA256

      b055d76652d288078906399490491a8a13f6cf38821e1a459116f6b5cdf59818

    • SHA512

      8628657b3d220783a9e383d45bcd83ce65f1bdcfeae00db79277f22c4a7440f478514a435fac6c9895d5238c298d74998eac54d793ec2cfa8cdcb33a995f6d9d

    • SSDEEP

      12288:FMrHy90ihkPtIA8vX7VWW3rsXZNRsPHKcEWf7K4BEXE4:+yAPF8vXZWWYNRsvVEW4

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks