General
-
Target
fffd440bde689353048707085d4d65a1a8c86c0559af42a017777d3ecf050a20
-
Size
998KB
-
Sample
230331-z3fefaeg8s
-
MD5
d28473163ed518e5650dd975f8a775df
-
SHA1
69412f253b97f8b54ad1377b790a71138c329c07
-
SHA256
fffd440bde689353048707085d4d65a1a8c86c0559af42a017777d3ecf050a20
-
SHA512
a9184601ed7f869df6bb61afe194dd7511c5522a75cbfa23c2fdc86cf212ed153e05ae1c2a4d27f17bdfa59aae286105e8558bc03df83690c42e64c74169c288
-
SSDEEP
24576:xyofm1KYzYsFklIqbiUsb1VVjKQlp5h39SnZX81T:kQaalIqbiUshVVjKQ3Nn1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Targets
-
-
Target
fffd440bde689353048707085d4d65a1a8c86c0559af42a017777d3ecf050a20
-
Size
998KB
-
MD5
d28473163ed518e5650dd975f8a775df
-
SHA1
69412f253b97f8b54ad1377b790a71138c329c07
-
SHA256
fffd440bde689353048707085d4d65a1a8c86c0559af42a017777d3ecf050a20
-
SHA512
a9184601ed7f869df6bb61afe194dd7511c5522a75cbfa23c2fdc86cf212ed153e05ae1c2a4d27f17bdfa59aae286105e8558bc03df83690c42e64c74169c288
-
SSDEEP
24576:xyofm1KYzYsFklIqbiUsb1VVjKQlp5h39SnZX81T:kQaalIqbiUshVVjKQ3Nn1
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-