Overview

overview

10

Static

static

1

a5aa46c459...27.exe

windows7-x64

10

a5aa46c459...27.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a5aa46c459139311f5e0418a75cc4b44fee49c318ef9632785b048fe704db127

  • Size

    930KB

  • Sample

    230410-s9k5yaed44

  • MD5

    c22fff4be6eb2a6236aa321686bed88b

  • SHA1

    6b2b08c19b2ff9967982161b090e12060ed290f9

  • SHA256

    fd79c131db0c133e3e2ce4243bfa4ed09b43bf6e096b8b166e9be56c0c81bcb1

  • SHA512

    afb0c4db5ce1d83ae41adf5cefe2b2a1ea556f5410798842371d33311958bf305e45ae680036bd49269dcd3cad285e5b0344f6fdf70c03a4e871352fe69045ee

  • SSDEEP

    24576:3ymNvJxWocM5Ohe7FFdxdsysotlAJWzMrBrH:CCRgsOyF7tkxBrH

Score
10/10
amadeyeternityredlinesectoprat0409lucky-bothoànglegorosncollectiondiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lego

C2

176.113.115.145:4125

Attributes
  • auth_value

    5631ccac2c71d49629a3877d1a8ad354

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

Hoàng

C2

199.115.193.116:11300

Attributes
  • auth_value

    da68f18ceccfa4d998c65572ae1f9575

Extracted

Family

redline

Botnet

0409Lucky-bot

C2

135.181.101.75:33666

Targets

    • Target

      a5aa46c459139311f5e0418a75cc4b44fee49c318ef9632785b048fe704db127

    • Size

      974KB

    • MD5

      f45e700680e5ea2f5a3cb42e4640063b

    • SHA1

      32d99a3c74a41086f9435361662cf0ac538cae4a

    • SHA256

      a5aa46c459139311f5e0418a75cc4b44fee49c318ef9632785b048fe704db127

    • SHA512

      1b0db1b2a8af487613b68b14fe61e10309c6038b9ae28c29f021526182dd157a9a84cce9c8717356ba9fef9564182dab7b78722e474b84ee3510beb9dd5e00e4

    • SSDEEP

      24576:1y8BvnIcMDGReNJFdzaL6o1l61iRM/Br8Bd:QsfAGOJCB1IRBg

    Score
    10/10
    amadeyeternityredlinesectoprat0409lucky-bothoànglegorosncollectiondiscoveryevasioninfostealerpersistenceratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks