Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file

  • Size

    323KB

  • Sample

    230324-2zz1saca7x

  • MD5

    d915386b9f157bed5fb89d1fa6fa6814

  • SHA1

    1a62d4df4127ed31070e49ad00797b886b56eb98

  • SHA256

    15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

  • SHA512

    483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

  • SSDEEP

    6144:NNONJMM5+mcXt9ACfqadlJWzOPlQyJETGquGwwqVva:7ONJMi+mcXsCiazPwyqOz8

Score
10/10
amadeyredline7evasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.68

C2

88.218.60.230/7vzZwkv2/index.php

Extracted

Family

redline

Botnet

7

C2

89.22.237.107:44745

Attributes
  • auth_value

    9fb4a4a8b5764119b91a5d9c6a94b401

Targets

    • Target

      file

    • Size

      323KB

    • MD5

      d915386b9f157bed5fb89d1fa6fa6814

    • SHA1

      1a62d4df4127ed31070e49ad00797b886b56eb98

    • SHA256

      15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

    • SHA512

      483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

    • SSDEEP

      6144:NNONJMM5+mcXt9ACfqadlJWzOPlQyJETGquGwwqVva:7ONJMi+mcXsCiazPwyqOz8

    Score
    10/10
    amadeyredline7evasioninfostealerspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks