General

  • Target

    112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4

  • Size

    939KB

  • Sample

    230410-zk7qzagb86

  • MD5

    7e6381465d2766364e69b43264a028d1

  • SHA1

    d7c1cba3f6deb6a8cd1c4fe4dfa82bbe8b40526a

  • SHA256

    112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4

  • SHA512

    08e9c08a8a6865da0c57d58c15ac16964907afb78c6c8c5e8ce91649bce5c41d4b05743c90eb90b69219f3f804e49dfc9b8f5dfc7f2b5ca8e19510eac02d2cd9

  • SSDEEP

    12288:/Mrgy90Hat0dwVh0enTDzs+93zJQNRCK7rZfIqjV4oZmuaZ7gcM23T2nST1m76ZR:nyYdwVecT8+93zm/CIZfIqkqSTYATd

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

C2

176.113.115.145:4125

Attributes
  • auth_value

    2ef701d510c0d27e8a8e3270281678b1

Targets

    • Target

      112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4

    • Size

      939KB

    • MD5

      7e6381465d2766364e69b43264a028d1

    • SHA1

      d7c1cba3f6deb6a8cd1c4fe4dfa82bbe8b40526a

    • SHA256

      112b98541698cf9b24dacd46a9822e6312909c107e5e969753402ab53a4294c4

    • SHA512

      08e9c08a8a6865da0c57d58c15ac16964907afb78c6c8c5e8ce91649bce5c41d4b05743c90eb90b69219f3f804e49dfc9b8f5dfc7f2b5ca8e19510eac02d2cd9

    • SSDEEP

      12288:/Mrgy90Hat0dwVh0enTDzs+93zJQNRCK7rZfIqjV4oZmuaZ7gcM23T2nST1m76ZR:nyYdwVecT8+93zm/CIZfIqkqSTYATd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks