General

  • Target

    9d42e0b24dc22b84b6892424d111f8fb.bin

  • Size

    967KB

  • Sample

    230326-b63gdafb45

  • MD5

    b7562da448800d86bc6be68a80da8ece

  • SHA1

    805134a27789ba7567029ddf2338f7ae870ba10a

  • SHA256

    1071ca2292e07693b117c0eabe2f089967471bb8b8700ea976f5dec9355e28f4

  • SHA512

    40215b341aea07fa00b6a6f97bd0891d050fe0a3a757bd5a14b27fbec89c6daac717c76f515dfcee9a15fb45e3efa2fe793757c68ec39030d5cca3a533692e45

  • SSDEEP

    24576:3pxKsylI0Bo+jUgYIivGtdiTO7/qzVmcCN5hATdF:3pxK/No+zYNuH6O76mxDh8F

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

nerv

C2

193.233.20.32:4125

Attributes
  • auth_value

    e383fe5545fbf9f612ad8eee12544595

Extracted

Family

amadey

Version

3.68

C2

31.41.244.200/games/category/index.php

Targets

    • Target

      be5bf2f44aa3686c00a4f1c337f4a605422bb1f6ac5b94180223ca0df4478273.exe

    • Size

      1011KB

    • MD5

      9d42e0b24dc22b84b6892424d111f8fb

    • SHA1

      eb00ab34d5b34c11fbd8cc7bd9359388183d6aa8

    • SHA256

      be5bf2f44aa3686c00a4f1c337f4a605422bb1f6ac5b94180223ca0df4478273

    • SHA512

      b3db51158f619f96b7603aa3e3af3d5dd27a4ce6dd7ad072dd2b919089fa4a1e3db36cc8374c0d0981cc56af834f08d6919c082a79570078c8d98e380072d1a8

    • SSDEEP

      24576:HyXNL6IPv4Uz3uOnxsjhUuR1la4VQ7XJ:SXF6I4Uz3u0xsjtRe77X

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks