Overview

overview

10

Static

static

1

34c064d8fd...0f.exe

windows7-x64

10

34c064d8fd...0f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e37b39e745a9c440ac23d502ed85af55.bin

  • Size

    976KB

  • Sample

    230329-b8ywzaga7s

  • MD5

    50a8f28d66fd103dc5afff75cbd45ea0

  • SHA1

    13f19beff449d3dcb8fe5ede946aba6df3e0c477

  • SHA256

    fb1402a07010ebb5142144e869949ea717bd28839741b66b03548ac28c218464

  • SHA512

    c372d155f9bd97907e032ed82d2eacfb4331b5cc50c8753689f24b985abb1df2eb0e8437b415fb1a080c4dfc9a02236d45b87c062dc5ae26f241171e605fa217

  • SSDEEP

    24576:8+kKuEPcdtW7LWYy7J07VodZpFS+tb1RM3QKBFm0q0Ma0+qa:WEEdcPWY18ZpFS+Z19Kvhqa

Score
10/10
amadeyredlinegongsonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

gong

C2

193.233.20.33:4125

Attributes
  • auth_value

    16950897b83de3bba9e4de36f06a8c05

Extracted

Family

amadey

Version

3.68

C2

31.41.244.200/games/category/index.php

Targets

    • Target

      34c064d8fd5046e9b2949e7cedf75d5882581decb1915c902d43ad70e5cbac0f.exe

    • Size

      1020KB

    • MD5

      e37b39e745a9c440ac23d502ed85af55

    • SHA1

      73d2dcd7258c6a9cd6ab2db6b1f4766ce1b43374

    • SHA256

      34c064d8fd5046e9b2949e7cedf75d5882581decb1915c902d43ad70e5cbac0f

    • SHA512

      4598f6a231357ab23077c6870f647a67f4168d1829acfa57d7042a8df5ac89e81948b3d88032e36fb0f69a2a78b09c14d88de64bd0c7f116da1969cb5bff46ee

    • SSDEEP

      24576:uy6Gp+m9R43FJYuhyCVp8QEcQbPIgqbE:96GIYR4US835Iz

    Score
    10/10
    amadeyredlinegongsonydiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks