General

  • Target

    a07fd920c152d6830ef3453b0981f48510b3822d7b64733a5cf2dc254ac11d72

  • Size

    939KB

  • Sample

    230410-z63n5sgd26

  • MD5

    7b564306d357d9d40c84d821604398f8

  • SHA1

    6898204cdbceb7d92e5b0bb40baec463a2d5c27f

  • SHA256

    a07fd920c152d6830ef3453b0981f48510b3822d7b64733a5cf2dc254ac11d72

  • SHA512

    6465f7e04b830c3304483c3c551721917bfea94c971c2af553f821915f47242ea51cc351d69c8d139ca1cc7181e21f7c06a304b403b2c95076e77aed905cc364

  • SSDEEP

    24576:oy+RPHFC1nbA8GBoYOKLIHK5PbgcuIKVIe2a:v+RPOYoY5xccBKVf

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

C2

176.113.115.145:4125

Attributes
  • auth_value

    2ef701d510c0d27e8a8e3270281678b1

Targets

    • Target

      a07fd920c152d6830ef3453b0981f48510b3822d7b64733a5cf2dc254ac11d72

    • Size

      939KB

    • MD5

      7b564306d357d9d40c84d821604398f8

    • SHA1

      6898204cdbceb7d92e5b0bb40baec463a2d5c27f

    • SHA256

      a07fd920c152d6830ef3453b0981f48510b3822d7b64733a5cf2dc254ac11d72

    • SHA512

      6465f7e04b830c3304483c3c551721917bfea94c971c2af553f821915f47242ea51cc351d69c8d139ca1cc7181e21f7c06a304b403b2c95076e77aed905cc364

    • SSDEEP

      24576:oy+RPHFC1nbA8GBoYOKLIHK5PbgcuIKVIe2a:v+RPOYoY5xccBKVf

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks