General

  • Target

    43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b

  • Size

    1.1MB

  • Sample

    231010-2q9tmaad22

  • MD5

    319e10390538257a26c100a8702b6dfa

  • SHA1

    b3762113cc099af2e22643fb29719e43fe07bbf3

  • SHA256

    43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b

  • SHA512

    d6f878878c1968ad36777164df4d1576403b95ced49e8ba31867c21500f96abc611216339af55c0c3d23c1f8ddb03fe4fcd923e8fa474e055db9fed5a957d48f

  • SSDEEP

    24576:ny67bZ9SzBaJckAix2h86yWgZz/xp3e+c9FusCRO:yKbDLJnAiaSVA+c9FzCR

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain
rc4.plain

Targets

    • Target

      43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b

    • Size

      1.1MB

    • MD5

      319e10390538257a26c100a8702b6dfa

    • SHA1

      b3762113cc099af2e22643fb29719e43fe07bbf3

    • SHA256

      43719d4291618a34f61318ea844dfa05238d799ba0ea61ac419807a56c4e539b

    • SHA512

      d6f878878c1968ad36777164df4d1576403b95ced49e8ba31867c21500f96abc611216339af55c0c3d23c1f8ddb03fe4fcd923e8fa474e055db9fed5a957d48f

    • SSDEEP

      24576:ny67bZ9SzBaJckAix2h86yWgZz/xp3e+c9FusCRO:yKbDLJnAiaSVA+c9FzCR

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks