General

  • Target

    5fa4e9817ffd5401599d3953f5ce080a2a3c1955fa3af2e60ede42eed52e2284

  • Size

    938KB

  • Sample

    230410-znq8dsgc24

  • MD5

    1fee4cf9a946a0123830edcb4efaa678

  • SHA1

    603e59e986df51e1940bd862b8dd7071d1fdb0af

  • SHA256

    5fa4e9817ffd5401599d3953f5ce080a2a3c1955fa3af2e60ede42eed52e2284

  • SHA512

    0c78f05ad46f9077a9073b6054a56c52f9745dd127f97b59fe62c3801b3d2b54eba2a6a8b29f9225cba1f1d3473b8914480144adb849a3b00e51fa531c26505e

  • SSDEEP

    24576:AyMMNmzcPc4geaNaEWkH31pXIm9GSfP/pUwn0Vj:HIzcPyeaoEPH3n4SX/pUU

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

C2

176.113.115.145:4125

Attributes
  • auth_value

    2ef701d510c0d27e8a8e3270281678b1

Targets

    • Target

      5fa4e9817ffd5401599d3953f5ce080a2a3c1955fa3af2e60ede42eed52e2284

    • Size

      938KB

    • MD5

      1fee4cf9a946a0123830edcb4efaa678

    • SHA1

      603e59e986df51e1940bd862b8dd7071d1fdb0af

    • SHA256

      5fa4e9817ffd5401599d3953f5ce080a2a3c1955fa3af2e60ede42eed52e2284

    • SHA512

      0c78f05ad46f9077a9073b6054a56c52f9745dd127f97b59fe62c3801b3d2b54eba2a6a8b29f9225cba1f1d3473b8914480144adb849a3b00e51fa531c26505e

    • SSDEEP

      24576:AyMMNmzcPc4geaNaEWkH31pXIm9GSfP/pUwn0Vj:HIzcPyeaoEPH3n4SX/pUU

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks