Overview

overview

10

Static

static

1

60a8faffcc...a8.exe

windows7-x64

10

60a8faffcc...a8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60a8faffcc0215a5b11541c48f8f77a8.exe

  • Size

    1.0MB

  • Sample

    230327-qv95eadf66

  • MD5

    60a8faffcc0215a5b11541c48f8f77a8

  • SHA1

    cf8e9c6a2cd4714021811c7e66feac5e17bf4552

  • SHA256

    abb18917606c6031ab4139c3a5da92902af409ab055b48893924ed706b68cad0

  • SHA512

    a2116e5b9154380cb52897426379466671cba92f85affb3aad0b96b4c4575199b66793c7d1864fca692bbafd7e4e1a3cc129b858d4a63c4740aafbc540a4f16f

  • SSDEEP

    24576:Iyj5XnS5LY9/Qkvm/i/AxICW9ZR1hF/H+6:PjRnMqQk61mhp

Score
10/10
amadeyredlineanhthe007sonyviladiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

C2

66.42.108.195:40499

Attributes
  • auth_value

    f93019ca42e7f9440be3a7ee1ebc636d

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

vila

C2

193.233.20.33:4125

Attributes
  • auth_value

    94b115d79ddcab0a0fb9dfab8e225c3b

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Extracted

Family

redline

Botnet

anhthe007

C2

199.115.193.116:11300

Attributes
  • auth_value

    99c4662d697e1c7cb2fd84190b835994

Targets

    • Target

      60a8faffcc0215a5b11541c48f8f77a8.exe

    • Size

      1.0MB

    • MD5

      60a8faffcc0215a5b11541c48f8f77a8

    • SHA1

      cf8e9c6a2cd4714021811c7e66feac5e17bf4552

    • SHA256

      abb18917606c6031ab4139c3a5da92902af409ab055b48893924ed706b68cad0

    • SHA512

      a2116e5b9154380cb52897426379466671cba92f85affb3aad0b96b4c4575199b66793c7d1864fca692bbafd7e4e1a3cc129b858d4a63c4740aafbc540a4f16f

    • SSDEEP

      24576:Iyj5XnS5LY9/Qkvm/i/AxICW9ZR1hF/H+6:PjRnMqQk61mhp

    Score
    10/10
    amadeyredlineanhthe007sonyviladiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks