General
-
Target
07166899.exe
-
Size
599KB
-
Sample
230609-h2ecbabd28
-
MD5
f4d153c0a650e3183a8b29611c4c8ff1
-
SHA1
4b33072bb61d0ed056fb52794cd79740d5497bf5
-
SHA256
cb4f213d58e190fd647be421ddd3e345a3d6e2281f103442f72dfbf5601cd408
-
SHA512
3b573d88b2ed0a0eb609e32f46fdd3de9d92dc8ed7910da07c8731d4f429404b51d2fd979462362d771d3c55619410e35905793e78dd5f8f2eadce110e6bd828
-
SSDEEP
12288:GMrGy908Llncb7/tz+xMKbzLyKyQNGD0t2ciSr3:YyXBnEr8xMgHygNGD0t3
Malware Config
Extracted
redline
duha
83.97.73.129:19068
-
auth_value
aafe99874c3b8854069470882e00246c
Extracted
amadey
3.83
77.91.68.30/music/rock/index.php
Extracted
redline
crazy
83.97.73.129:19068
-
auth_value
66bc4d9682ea090eef64a299ece12fdd
Targets
-
-
Target
07166899.exe
-
Size
599KB
-
MD5
f4d153c0a650e3183a8b29611c4c8ff1
-
SHA1
4b33072bb61d0ed056fb52794cd79740d5497bf5
-
SHA256
cb4f213d58e190fd647be421ddd3e345a3d6e2281f103442f72dfbf5601cd408
-
SHA512
3b573d88b2ed0a0eb609e32f46fdd3de9d92dc8ed7910da07c8731d4f429404b51d2fd979462362d771d3c55619410e35905793e78dd5f8f2eadce110e6bd828
-
SSDEEP
12288:GMrGy908Llncb7/tz+xMKbzLyKyQNGD0t2ciSr3:YyXBnEr8xMgHygNGD0t3
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-