General

  • Target

    bbe53788c93f1feb8c52908d74ae463d58addef354242fb4bfa423560ea82458

  • Size

    419KB

  • Sample

    240325-fncv8agg43

  • MD5

    27499cf0e73817392b9f50cc9e82c2b3

  • SHA1

    a0efab9cdb4b2a4a920f4ab76095d24806d7812f

  • SHA256

    bbe53788c93f1feb8c52908d74ae463d58addef354242fb4bfa423560ea82458

  • SHA512

    94b6768d229da70e558ede3b339b99f3c67657f5ce6b76d123a9df0226c3c6677e9585dd42fa5a74df901e7b0cc3dd0a89a0c9bfc82271706b4af97a00f4f414

  • SSDEEP

    6144:dOpt5U2F/o+89gzpGzlpKmu9HiFqVOmZce8dsGlEpD:Q5U2FQ+8+cpKmu9HikghdsG2h

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes
  • install_dir

    154561dcbf

  • install_file

    Dctooux.exe

  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.68:29093

Extracted

Family

amadey

Version

4.18

Attributes
  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Targets

    • Target

      bbe53788c93f1feb8c52908d74ae463d58addef354242fb4bfa423560ea82458

    • Size

      419KB

    • MD5

      27499cf0e73817392b9f50cc9e82c2b3

    • SHA1

      a0efab9cdb4b2a4a920f4ab76095d24806d7812f

    • SHA256

      bbe53788c93f1feb8c52908d74ae463d58addef354242fb4bfa423560ea82458

    • SHA512

      94b6768d229da70e558ede3b339b99f3c67657f5ce6b76d123a9df0226c3c6677e9585dd42fa5a74df901e7b0cc3dd0a89a0c9bfc82271706b4af97a00f4f414

    • SSDEEP

      6144:dOpt5U2F/o+89gzpGzlpKmu9HiFqVOmZce8dsGlEpD:Q5U2FQ+8+cpKmu9HikghdsG2h

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks