Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

980018a5e71826511e2d8c72736c378e064d0700bb6f9510ce7d674593dd75a8
Size

1MB
Sample

230319-c4z4xaee88
MD5

8203e76d79eb538bd0a57162ed166544
SHA1

f7217cdb89288b59f72148fc4953d3225a90869b
SHA256

980018a5e71826511e2d8c72736c378e064d0700bb6f9510ce7d674593dd75a8
SHA512

414e2c2eb80c922dc7b26a705a35f8d80e53c11e2e4615910b546b80ea0fd65ef0413a7d3fbe3cd6b1587e533af6700f6448a8e23efd77cbcf398972244a3401
SSDEEP

24576:eDJ5TY38yph1yoB9sIRpm5diGwRx6e5Hsneu61WqNiRRZVIbUuR:e3TYsyLheombiGwRr19u6jka

Score

10^/10

amadey redline gena relon discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes

auth_value
93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes

auth_value
17da69809725577b595e217ba006b869

Extracted

Family

amadey

Version

3.68

C2

31.41.244.200/games/category/index.php

Targets

- Target
  
  980018a5e71826511e2d8c72736c378e064d0700bb6f9510ce7d674593dd75a8
- Size
  
  1MB
- MD5
  
  8203e76d79eb538bd0a57162ed166544
- SHA1
  
  f7217cdb89288b59f72148fc4953d3225a90869b
- SHA256
  
  980018a5e71826511e2d8c72736c378e064d0700bb6f9510ce7d674593dd75a8
- SHA512
  
  414e2c2eb80c922dc7b26a705a35f8d80e53c11e2e4615910b546b80ea0fd65ef0413a7d3fbe3cd6b1587e533af6700f6448a8e23efd77cbcf398972244a3401
- SSDEEP
  
  24576:eDJ5TY38yph1yoB9sIRpm5diGwRx6e5Hsneu61WqNiRRZVIbUuR:e3TYsyLheombiGwRr19u6jka
Score

10^/10

amadey redline gena relon discovery evasion infostealer persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

amadeyredlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan