General

  • Target

    b0571ebb197957db2593bbf6db93c83e802e44fbdd3523b002234ea67c414dcd

  • Size

    1014KB

  • Sample

    231003-egw5vagb4w

  • MD5

    3b86e358dce0351846c939d231254995

  • SHA1

    0782fa15bf0fd6fcfcdabe898e3d0f7e17061cd3

  • SHA256

    b0571ebb197957db2593bbf6db93c83e802e44fbdd3523b002234ea67c414dcd

  • SHA512

    76efdd087c75dc8e7b526f5919465c5991661da18d0b2fd818aeee085da8f4ea61aaddafaa50fc54f3c4a54251dc5c389c4f9559cfaffa3b61f00138c7b654b9

  • SSDEEP

    24576:Ny5ghzwHU67b2WcjU5kVh7nQKWjnvAYhi:o8wH/7b2jIkVhjQKWjnvAY

Malware Config

Extracted

Family

redline

Botnet

jordan

C2

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain
rc4.plain

Targets

    • Target

      b0571ebb197957db2593bbf6db93c83e802e44fbdd3523b002234ea67c414dcd

    • Size

      1014KB

    • MD5

      3b86e358dce0351846c939d231254995

    • SHA1

      0782fa15bf0fd6fcfcdabe898e3d0f7e17061cd3

    • SHA256

      b0571ebb197957db2593bbf6db93c83e802e44fbdd3523b002234ea67c414dcd

    • SHA512

      76efdd087c75dc8e7b526f5919465c5991661da18d0b2fd818aeee085da8f4ea61aaddafaa50fc54f3c4a54251dc5c389c4f9559cfaffa3b61f00138c7b654b9

    • SSDEEP

      24576:Ny5ghzwHU67b2WcjU5kVh7nQKWjnvAYhi:o8wH/7b2jIkVhjQKWjnvAY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks