General

  • Target

    27ead757de0b0ca55450c5d8cc53c6fe.exe.bin

  • Size

    1.5MB

  • Sample

    230507-aq2pgaeb6w

  • MD5

    27ead757de0b0ca55450c5d8cc53c6fe

  • SHA1

    bfadc4ff184893938d2a76a69f83f391c778557a

  • SHA256

    07a482b57b07d95eb183c4637b3b66928b8965727dde9cc1a43a1167166b64d8

  • SHA512

    a60c98193f1c6164337b4da77902fe51c47b333296b0442bc0eaef7785c2a2117c26fa69db5b43aa64651d7927f7d3d52573e504fbaac0e2ed01f085313e68c9

  • SSDEEP

    24576:ny0vXuziDrn7/nhNyZUQgyhttJxVDlQklm0ooB8dLaDnvsvkZqT4gkOCFIsFS0x0:yaXLLzzyGjyrt7JlLdL8dLaDngSqc6Uk

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

life

C2

185.161.248.73:4164

Attributes
  • auth_value

    8685d11953530b68ad5ec703809d9f91

Targets

    • Target

      27ead757de0b0ca55450c5d8cc53c6fe.exe.bin

    • Size

      1.5MB

    • MD5

      27ead757de0b0ca55450c5d8cc53c6fe

    • SHA1

      bfadc4ff184893938d2a76a69f83f391c778557a

    • SHA256

      07a482b57b07d95eb183c4637b3b66928b8965727dde9cc1a43a1167166b64d8

    • SHA512

      a60c98193f1c6164337b4da77902fe51c47b333296b0442bc0eaef7785c2a2117c26fa69db5b43aa64651d7927f7d3d52573e504fbaac0e2ed01f085313e68c9

    • SSDEEP

      24576:ny0vXuziDrn7/nhNyZUQgyhttJxVDlQklm0ooB8dLaDnvsvkZqT4gkOCFIsFS0x0:yaXLLzzyGjyrt7JlLdL8dLaDngSqc6Uk

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks