General

  • Target

    26a5e93a04f53524e9e4dd3fd3fdff7b1ae108695173995c080258b5f41897eb

  • Size

    1007KB

  • Sample

    230323-q1fsrahh8w

  • MD5

    7f25519111c24b7dc65664e313e337f4

  • SHA1

    e1036cb12f71d8766254a8102cc111d9fce850ea

  • SHA256

    26a5e93a04f53524e9e4dd3fd3fdff7b1ae108695173995c080258b5f41897eb

  • SHA512

    ba3b0890ef4da149a8f41872ea35a0ef0390bb6c0873ac57058397d78a4926acdad609a3cc15bc21eaa727af22e62d775a706e15ffd8235fc85a013cdf7a8db1

  • SSDEEP

    24576:CyMblO/Ha38HiYAfSqvJIgFc0I2fu7PkNtj0j23TkiW:ppvav/yw08NV0

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

C2

193.233.20.31:4125

Attributes
  • auth_value

    4cf836e062bcdc2a4fdbf410f5747ec7

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Targets

    • Target

      26a5e93a04f53524e9e4dd3fd3fdff7b1ae108695173995c080258b5f41897eb

    • Size

      1007KB

    • MD5

      7f25519111c24b7dc65664e313e337f4

    • SHA1

      e1036cb12f71d8766254a8102cc111d9fce850ea

    • SHA256

      26a5e93a04f53524e9e4dd3fd3fdff7b1ae108695173995c080258b5f41897eb

    • SHA512

      ba3b0890ef4da149a8f41872ea35a0ef0390bb6c0873ac57058397d78a4926acdad609a3cc15bc21eaa727af22e62d775a706e15ffd8235fc85a013cdf7a8db1

    • SSDEEP

      24576:CyMblO/Ha38HiYAfSqvJIgFc0I2fu7PkNtj0j23TkiW:ppvav/yw08NV0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks