General

  • Target

    2e31a300006372b25f4374bcf23a0bc4230b942dddd44110150b98052aead9cd

  • Size

    790KB

  • Sample

    230411-fmdq5aca8y

  • MD5

    8a5d01a9e2c2c71b11d5542d65737703

  • SHA1

    cc225d7e5f248b8cd0c6ad6569c5e6ecacf224ea

  • SHA256

    2e31a300006372b25f4374bcf23a0bc4230b942dddd44110150b98052aead9cd

  • SHA512

    614ab0111aab8a5ce4ea38edb293bdcd55538dcf3730a37add058cffe2cf64f8e795e328c15a47fa4bbdd87ad8b21da3fdcf8f631f0823d12cdf2f3d3dd51c1d

  • SSDEEP

    12288:oMrfy90JYOsP/q0aitfYmNesbkAzxvy+iefmOLUtZXCbByqRMqODQf/fQfn:XycYd/q0ptr8AzxK0ffQZXGM3k3ov

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nahui

C2

176.113.115.145:4125

Attributes
  • auth_value

    b9ed10946d21e28d58d0c72c535cde6f

Targets

    • Target

      2e31a300006372b25f4374bcf23a0bc4230b942dddd44110150b98052aead9cd

    • Size

      790KB

    • MD5

      8a5d01a9e2c2c71b11d5542d65737703

    • SHA1

      cc225d7e5f248b8cd0c6ad6569c5e6ecacf224ea

    • SHA256

      2e31a300006372b25f4374bcf23a0bc4230b942dddd44110150b98052aead9cd

    • SHA512

      614ab0111aab8a5ce4ea38edb293bdcd55538dcf3730a37add058cffe2cf64f8e795e328c15a47fa4bbdd87ad8b21da3fdcf8f631f0823d12cdf2f3d3dd51c1d

    • SSDEEP

      12288:oMrfy90JYOsP/q0aitfYmNesbkAzxvy+iefmOLUtZXCbByqRMqODQf/fQfn:XycYd/q0ptr8AzxK0ffQZXGM3k3ov

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks