General

  • Target

    6dd02dac3d3564bef5d7e53553ef6e7276e683382e49a7de18ce3c4984ba6d4e

  • Size

    1.0MB

  • Sample

    231003-apehjshb76

  • MD5

    e76ada8af3ed941c02fddd17145e305d

  • SHA1

    7c7fbb52bd83c0eea3f564117bde35ca07dbfc99

  • SHA256

    6dd02dac3d3564bef5d7e53553ef6e7276e683382e49a7de18ce3c4984ba6d4e

  • SHA512

    44b647235cc47eca4082c35b4cdeb890f46e6ed10cee40ca73bb9fe71d507a14baefdf4b8349d372132870ff77d042916346990386136f759fc4e8507c4ada09

  • SSDEEP

    24576:IylNLm/Io+lUIqRfTZyV8BZ5Tbjwe/yYs:PXm/Io+lkfT02z1/wKyY

Malware Config

Extracted

Family

redline

Botnet

jordan

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain
rc4.plain

Targets

    • Target

      6dd02dac3d3564bef5d7e53553ef6e7276e683382e49a7de18ce3c4984ba6d4e

    • Size

      1.0MB

    • MD5

      e76ada8af3ed941c02fddd17145e305d

    • SHA1

      7c7fbb52bd83c0eea3f564117bde35ca07dbfc99

    • SHA256

      6dd02dac3d3564bef5d7e53553ef6e7276e683382e49a7de18ce3c4984ba6d4e

    • SHA512

      44b647235cc47eca4082c35b4cdeb890f46e6ed10cee40ca73bb9fe71d507a14baefdf4b8349d372132870ff77d042916346990386136f759fc4e8507c4ada09

    • SSDEEP

      24576:IylNLm/Io+lUIqRfTZyV8BZ5Tbjwe/yYs:PXm/Io+lkfT02z1/wKyY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks