General

  • Target

    08c8b46d295e290141686ab1b2855548.bin

  • Size

    1MB

  • Sample

    230906-bdawnacd7s

  • MD5

    107ff62fb9ddcf0b07bbe04e4888e5f4

  • SHA1

    a809191a16425113eaea61e50877ca80a62e4471

  • SHA256

    447cdc894e9b32fc82e5b54f46fed2e377b215c36c42a6f9832626230993f43f

  • SHA512

    4f5280cbc7a1984725de62b3add6eceb27ab9e8b96debbcacb7d9c886085e212824ba8646ace0b9ef41c05cb82ab446849c078e8e5a619fd0902778867c3867b

  • SSDEEP

    24576:Pd57QHb3Voj/sduyNUHEZh3vYS2oxhGbO2XRSbZ3mfbOfT/w0BPbT9Rb:PPsxojjEn/22SR2Z3f3zTnb

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Targets

    • Target

      2288f74f56cd376862001d460688693eb97f19e2340f7a0a6a11bbc2d62c7940.exe

    • Size

      1MB

    • MD5

      08c8b46d295e290141686ab1b2855548

    • SHA1

      7a354148044020ea2289b57983fe7d70b1ab6b91

    • SHA256

      2288f74f56cd376862001d460688693eb97f19e2340f7a0a6a11bbc2d62c7940

    • SHA512

      752e32f336d6fc9eb2ee5f95fa585abd92b469eda88e03b500ca7a40861a8bf906a73ae5125b33cb741466bf11f7c3a16f2cceb8d7ef92de619f69a1471b2bdd

    • SSDEEP

      49152:5z9G6KrsCd1NJZ0KWqNTMt2ehqI0l9A0S/K1Ye8:5c6KrsC/NcKvNABhT0lu0Sy1

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks