General

  • Target

    b7668e16e00cfa7aab4fd5833311a9d3.bin

  • Size

    779KB

  • Sample

    240122-dalvvsfcd5

  • MD5

    1cb3b7893375f4231f4b253ae73ca402

  • SHA1

    4dbc6a8eb05c1e744bf2297f03df52867b51b3ed

  • SHA256

    17e0f247d5bc524d51ffa9876da7a3ad2138703528fac3463e340ff938b715aa

  • SHA512

    cb458baead36a20d66c6054c1dbcc162b6f8114ce817c39fda890885ebda216cfdb3f6d0c3420d3acfe88d479d5eabfb814693beddbc0be8e16cdd2b3910905e

  • SSDEEP

    24576:6ljEAACzGXkT2IFe8+X4dk9XpcpF8lBBEA:HxiJCd9XkGCA

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes
  • install_dir

    d887ceb89d

  • install_file

    explorhe.exe

  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

C2

141.95.211.148:46011

Extracted

Family

redline

Botnet

2024

C2

195.20.16.103:20440

Extracted

Family

redline

Botnet

@Pixelscloud

C2

94.156.66.203:13781

Extracted

Family

redline

Botnet

Legaa

C2

185.172.128.33:38294

Extracted

Family

amadey

C2

http://185.215.113.68

Attributes
  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

20.113.35.45:38357

Targets

    • Target

      3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe

    • Size

      790KB

    • MD5

      b7668e16e00cfa7aab4fd5833311a9d3

    • SHA1

      81f2ecd89774c56e0cc9cdb9dfe273df76dfefa7

    • SHA256

      3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366

    • SHA512

      7e2146e5e8b28830208a92ddcb57075fd0e046856c0564e3faf5f0d71a6dbe5454c16b45664da4277de795eb53f1be447de4aae2a0a5a0d12eefe9d5be6d96e4

    • SSDEEP

      12288:r9SJ++jmIFElFpRqH1YWGn1Io7YNQZDzdYD/jGW/nSkxgsDggauUPnIpm68fuvQR:r0g9/nREmWGn/wQFRHW/nSkx4dk4qo

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Impact

Service Stop

1
T1489

Tasks