General

  • Target

    setup.exe

  • Size

    891KB

  • Sample

    230424-adrczagf87

  • MD5

    24d35af384859b9132200d58aa54827f

  • SHA1

    c743a24bcefb6261a1f2479365cf811292b59b89

  • SHA256

    13bc1e0dd1b6e99fbf82ec88b71015c972082bff07313d0eb674530cdb6bd392

  • SHA512

    b36fa7a44f3b60ed5dcda620e744df6fe15eedc9469aaf6fa52269d290969f1f3d80483f81f66cd61924889ac50bdbfde4fff388459a886c4d8c890c8112bf34

  • SSDEEP

    12288:Ay90D/5O+dvtUVZF+S9LOL9EdiCD1k2zEifoc52DAxKk8cITxD80JZZw19r8fAwb:Ayi5O6CVZvOa/gifIDAEltb1YaSK

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

Heaven

C2

103.161.170.185:33621

Attributes
  • auth_value

    0dbeabaddb415a98dbde3a27af173ac5

Targets

    • Target

      setup.exe

    • Size

      891KB

    • MD5

      24d35af384859b9132200d58aa54827f

    • SHA1

      c743a24bcefb6261a1f2479365cf811292b59b89

    • SHA256

      13bc1e0dd1b6e99fbf82ec88b71015c972082bff07313d0eb674530cdb6bd392

    • SHA512

      b36fa7a44f3b60ed5dcda620e744df6fe15eedc9469aaf6fa52269d290969f1f3d80483f81f66cd61924889ac50bdbfde4fff388459a886c4d8c890c8112bf34

    • SSDEEP

      12288:Ay90D/5O+dvtUVZF+S9LOL9EdiCD1k2zEifoc52DAxKk8cITxD80JZZw19r8fAwb:Ayi5O6CVZvOa/gifIDAEltb1YaSK

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks