General

  • Target

    675d1ea77be6213c9a3c69fc5541e2ee1dd589157a9ce0c110b078132efe2e09.bin

  • Size

    1.5MB

  • Sample

    230506-18g1wsdf3t

  • MD5

    07a11136d6007ca881361e2d9b4f5e90

  • SHA1

    938a1787ebf7381101410ab0bb195f69d5368501

  • SHA256

    675d1ea77be6213c9a3c69fc5541e2ee1dd589157a9ce0c110b078132efe2e09

  • SHA512

    6d2075c8d944c659379aa1ce6e2791b6a988bccf591964627f82395116af267f781a089ba9b6db406bdd5d33773067772471fb68376db9d27f4a65d020b06ab8

  • SSDEEP

    24576:NywITFK1mrlvep+AdV7qdtD7+OVRkGnBxSyWzBy0ggRpc/my0zNgNVPIIJTnCMFG:owoFtlU+Q7KtHDVaqxSyT0gwRagIJrP

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes
  • auth_value

    d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

C2

185.161.248.73:4164

Attributes
  • auth_value

    8685d11953530b68ad5ec703809d9f91

Targets

    • Target

      675d1ea77be6213c9a3c69fc5541e2ee1dd589157a9ce0c110b078132efe2e09.bin

    • Size

      1.5MB

    • MD5

      07a11136d6007ca881361e2d9b4f5e90

    • SHA1

      938a1787ebf7381101410ab0bb195f69d5368501

    • SHA256

      675d1ea77be6213c9a3c69fc5541e2ee1dd589157a9ce0c110b078132efe2e09

    • SHA512

      6d2075c8d944c659379aa1ce6e2791b6a988bccf591964627f82395116af267f781a089ba9b6db406bdd5d33773067772471fb68376db9d27f4a65d020b06ab8

    • SSDEEP

      24576:NywITFK1mrlvep+AdV7qdtD7+OVRkGnBxSyWzBy0ggRpc/my0zNgNVPIIJTnCMFG:owoFtlU+Q7KtHDVaqxSyT0gwRagIJrP

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks