General

  • Target

    5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70

  • Size

    560KB

  • Sample

    230810-2pxsnsbc2w

  • MD5

    afa363a12d8bbcac0bd638997c7dea4e

  • SHA1

    ba2f5dacfc1bf4fe2b2adedad1cbf829d8dc08ae

  • SHA256

    5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70

  • SHA512

    80824ab1af28d7a9ec7f6b0008444614f8e70f0330d3221be8e905b6d6a73aafe65d118fda01e78d8a0021b9cc2cca0459910e15f30350bff3252f47d7cc4640

  • SSDEEP

    12288:JMrAy90p3XVsHIH7XlGeoNnp3AUVnStyYbNijATbPx+HG7:9yG3X+oHbQpwiEyyNjLxYG7

Malware Config

Extracted

Family

amadey

Version

3.87

C2

193.233.255.9/nasa/index.php

Extracted

Family

redline

Botnet

kedra

C2

77.91.124.54:19071

Attributes
  • auth_value

    5deceb2ef08b60cd66ae9869e3eb6e34

Extracted

Family

vidar

Version

5.1

Botnet

ef53b6b1b2b41bb26f156380d493f1dd

C2

https://t.me/tatlimark

https://steamcommunity.com/profiles/76561199536605936

Attributes
  • profile_id_v2

    ef53b6b1b2b41bb26f156380d493f1dd

Extracted

Family

quasar

Version

1.4.1

Botnet

spread

C2

adequatelicensing.at:4040

Mutex

d93e662e-a9de-4198-89ca-f18764fe29de

Attributes
  • encryption_key

    36FFB0B8C391E84D40C64F776A2794BCA2549D86

  • install_name

    Updater.exe

  • log_directory

    Logs

  • reconnect_delay

    1000

  • startup_key

    Java Update

  • subdirectory

    Java

Targets

    • Target

      5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70

    • Size

      560KB

    • MD5

      afa363a12d8bbcac0bd638997c7dea4e

    • SHA1

      ba2f5dacfc1bf4fe2b2adedad1cbf829d8dc08ae

    • SHA256

      5a54f6c46d49e8d2b54ffb96fc3aa512c9dbf30820921148fd160a1d4b7acd70

    • SHA512

      80824ab1af28d7a9ec7f6b0008444614f8e70f0330d3221be8e905b6d6a73aafe65d118fda01e78d8a0021b9cc2cca0459910e15f30350bff3252f47d7cc4640

    • SSDEEP

      12288:JMrAy90p3XVsHIH7XlGeoNnp3AUVnStyYbNijATbPx+HG7:9yG3X+oHbQpwiEyyNjLxYG7

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks