General

  • Target

    4a17e7bd3b5e47cf84cb0a50ae44c7e73c13a81b635ac7db9e73fe908d8450d6

  • Size

    1.0MB

  • Sample

    230319-myntssga58

  • MD5

    4e3fa02b59a708c41d7323036ce01c85

  • SHA1

    351023852b56deeec0e20ec8e9ea52c391bd558a

  • SHA256

    4a17e7bd3b5e47cf84cb0a50ae44c7e73c13a81b635ac7db9e73fe908d8450d6

  • SHA512

    01d36c9df55cee4f2d9a225b15f68e195ed739010e996ee23ea9b157bcf2a3895bbe8115d75fe3d07470770af1a255a27bd03412476a62f3e5232ea35a0d20ff

  • SSDEEP

    24576:YyZGIBTX/9oAKR1IkDjj7pFCRKVLsUIucY78l+w:fZGE9oAKn9DjrCspsUf4

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

vint

C2

193.233.20.30:4125

Attributes
  • auth_value

    fb8811912f8370b3d23bffda092d88d0

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Targets

    • Target

      4a17e7bd3b5e47cf84cb0a50ae44c7e73c13a81b635ac7db9e73fe908d8450d6

    • Size

      1.0MB

    • MD5

      4e3fa02b59a708c41d7323036ce01c85

    • SHA1

      351023852b56deeec0e20ec8e9ea52c391bd558a

    • SHA256

      4a17e7bd3b5e47cf84cb0a50ae44c7e73c13a81b635ac7db9e73fe908d8450d6

    • SHA512

      01d36c9df55cee4f2d9a225b15f68e195ed739010e996ee23ea9b157bcf2a3895bbe8115d75fe3d07470770af1a255a27bd03412476a62f3e5232ea35a0d20ff

    • SSDEEP

      24576:YyZGIBTX/9oAKR1IkDjj7pFCRKVLsUIucY78l+w:fZGE9oAKn9DjrCspsUf4

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks