Overview

overview

10

Static

static

3

440ca6ae93...00.exe

windows7-x64

10

440ca6ae93...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    68f4fffa0655da67fe4314d3a0108fe1.bin

  • Size

    1.2MB

  • Sample

    230502-b1rspahc84

  • MD5

    4e9533cb01912734e5b983f931ff0cf4

  • SHA1

    9e0c50f81bb2a3f3cd7a75dcb534c36ecaf914ee

  • SHA256

    c2d5cc3ed9bb928e9dc1c50d7aa4a1e3c9e32d47f52105eb37a9977f58dcb47c

  • SHA512

    b8dc0a208657ce4dd42cc099529c721b5f985812f642f0959e967ab83be6abf5564a94b117de0b95cceaa57ca4e062b04b10b498542b44287e86942e517480bc

  • SSDEEP

    24576:KBdj9fYJAabNwmsdef99C6t7fZjZMeJH5o1NXYGdWtugkDOiUGjXT9Nz6:gavbNwvc5ZjZMex5r3tyjjz6

Score
10/10
amadeyredlinegenalifediscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes
  • auth_value

    d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

C2

185.161.248.73:4164

Attributes
  • auth_value

    8685d11953530b68ad5ec703809d9f91

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      440ca6ae933fb42123ed2368c8d725c51752a31210492a1c731bebc5e1b9a900.exe

    • Size

      1.2MB

    • MD5

      68f4fffa0655da67fe4314d3a0108fe1

    • SHA1

      0be190df38f794040fad8a79af7990c8fd15789c

    • SHA256

      440ca6ae933fb42123ed2368c8d725c51752a31210492a1c731bebc5e1b9a900

    • SHA512

      ee1ef526b07db4b92d0d08f245cb1e1f0be4ae8fc840d0354e7aa5d6c377759671bb95ac86f74d7585c09b09339a6048d75c8b6bdf4fa34f15570ef25f00b3dc

    • SSDEEP

      24576:sykFF3Y25qn+8drBh3UAQf/AQGHhRAZc8sS+1anUJTZ4:b4oWq+Oh9miKVianUJTZ

    Score
    10/10
    amadeyredlinegenalifediscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks