General

  • Target

    012a80c149cc79fcee6026d255b89b115860f28f92b45a60a5ad0559b42bc56a

  • Size

    560KB

  • Sample

    230807-zc6tpshc95

  • MD5

    6da74600edbb4147cc8b1840cec43bc1

  • SHA1

    c7aa58f7039c770245eb2445afcb7eca24f1dbc9

  • SHA256

    012a80c149cc79fcee6026d255b89b115860f28f92b45a60a5ad0559b42bc56a

  • SHA512

    f06dcd6fed8c08e127d9e93ff364ca1cc09e04f95272c5bab1d4c6e26fab35639e9ef2386293ab85c2883323151512f0f0ba1b3b66ce15f5744612e9432873c0

  • SSDEEP

    12288:rMrRy90GMFlKrn+ihdJHoWsLBc5+6TzE5erl6FdhDoAy:2yS3obELm5BTA5eJIhty

Malware Config

Extracted

Family

amadey

Version

3.87

C2

193.233.255.9/nasa/index.php

Extracted

Family

redline

Botnet

dodge

C2

77.91.124.156:19071

Attributes
  • auth_value

    3372223e987be2a16148c072df30163d

Targets

    • Target

      012a80c149cc79fcee6026d255b89b115860f28f92b45a60a5ad0559b42bc56a

    • Size

      560KB

    • MD5

      6da74600edbb4147cc8b1840cec43bc1

    • SHA1

      c7aa58f7039c770245eb2445afcb7eca24f1dbc9

    • SHA256

      012a80c149cc79fcee6026d255b89b115860f28f92b45a60a5ad0559b42bc56a

    • SHA512

      f06dcd6fed8c08e127d9e93ff364ca1cc09e04f95272c5bab1d4c6e26fab35639e9ef2386293ab85c2883323151512f0f0ba1b3b66ce15f5744612e9432873c0

    • SSDEEP

      12288:rMrRy90GMFlKrn+ihdJHoWsLBc5+6TzE5erl6FdhDoAy:2yS3obELm5BTA5eJIhty

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks