General

  • Target

    230906-x5evksbc6s_pw_infected.zip

  • Size

    1MB

  • Sample

    230907-lq3gjsgc9t

  • MD5

    9ff5a973313de3b6f0fca69610843bd7

  • SHA1

    4235d575d0223bae47b4677c7ca89dcb8ca9089c

  • SHA256

    2ca32965e9d45430043a94d612edf4a3c5ca6f206c39155d5bd56390da3849c2

  • SHA512

    9ddae909c59a100f6726fcbb354e937b10bacbcda8e12e737a726623907ab1c95589a67295ac6a986f47ba17e1c046d0564ac68cbe82dbd71ec7d44ec5e7b1d1

  • SSDEEP

    24576:yWbQaZHgUIlfbUBfGHZUXcI57akKrR1Q1O1ZFRQ8nh9B5tvdI2uBtSLp9jCttT7b:FcaZAUIlo8HIcI57akKPQ+7m89l1u/Sc

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

77.91.124.82:19071

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Targets

    • Target

      y6467268_JC.exe

    • Size

      1MB

    • MD5

      ddb5fe9c48ec02d43fe40e3be0fb6972

    • SHA1

      adaa8c52351c2412be289f2179ec5ecd7d5c1fcb

    • SHA256

      688dfa93e23ecdf662eab782b42fad8732a4a1fa2d39b0a9be1f0c19efb3ede7

    • SHA512

      6f6eb01817abaa514f9d989a0339760ed29e64aba390b2214562f36314c3173275bf0b249c50f613e6560169b99d9151f85f8b2abb544ecc91d01a3e3c9eab7a

    • SSDEEP

      24576:lyj3+xivG7etKyElnVkgoog/HvHSqOUc1rPM16pHhVno8/2zoIpqDdfO5Bmbs74s:Aj3+gvGytKyElVjo1PvTOtE1YVvrfdX2

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Detected potential entity reuse from brand paypal.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks