General

  • Target

    c4785969ee2a53a1ef42e101bab92ed8.bin

  • Size

    742KB

  • Sample

    230617-b5qq7ahg39

  • MD5

    48b9433e3a83575bfcd38072955cde91

  • SHA1

    e669cc9499106cf5dc93561b2c8bf7fa4222dbce

  • SHA256

    54ab63f1febf094a1c3dcd5e50045c60c87018144107fbbda3c71d600667e2b6

  • SHA512

    0aa3372fc8c241b87e254ba96bc588afbcab5a78abc44e5b2736618c18e4d58a91e627816883054907bd91a68d0c62b5649a7f6f1a29ae9cbc507ea5ccd91f7f

  • SSDEEP

    12288:pwjzAV2r7C8oA9dlJr/VjBqoN9Ct5D4ra9nO3+9v8rizI4PAX6fFQCnl6Hl15acS:pwjEVg7C8JVNjsofCtJ4S9puX6fWqS1O

Malware Config

Extracted

Family

redline

Botnet

joker

C2

83.97.73.130:19061

Attributes
  • auth_value

    a98d303cc28bb3b32a23c59214ae3bc0

Extracted

Family

redline

Botnet

mana

C2

83.97.73.130:19061

Attributes
  • auth_value

    4f5139d6c845fe72d05faf05763b6c31

Extracted

Family

amadey

Version

3.84

C2

77.91.68.63/doma/net/index.php

Targets

    • Target

      462af1607f53a80bc5640910f3d780fac92fa57e3308b3ead86b670890b8d31b.exe

    • Size

      785KB

    • MD5

      c4785969ee2a53a1ef42e101bab92ed8

    • SHA1

      0101b1bd253377ef3b004fc5d48fab2c8ba514c4

    • SHA256

      462af1607f53a80bc5640910f3d780fac92fa57e3308b3ead86b670890b8d31b

    • SHA512

      373b5d24a220c502375a4e2b96e9274e2a8d30a483c8685c34cc9c8ae1697da3cdf43af3a3f2ea1ccccf91d64a7d19df8b26b553a2d4e3e7f1c2a17d32e47918

    • SSDEEP

      12288:9MrEy90neEEi0Gt8CKKAOcAvyFkkJ9B6m1yFxECoAhE6X56EhusXf3Tiq:1ykH0G+6/29tWkC/hdFhusXf3Gq

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks