General

  • Target

    49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe

  • Size

    433KB

  • Sample

    240626-emc9xstfja

  • MD5

    6ceecba79d0895eb3d914391ca2cc2c0

  • SHA1

    c2a2387735af8ec9e73178f5294387e14771ab6f

  • SHA256

    49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701

  • SHA512

    aec66aa9227e074578a53b936f9b532a8748bfa05e8bfdff89a90ccdf1441432c6abb16a8b69b631d1685f88174dfe7b83327bfe25e875b78bd8fc14acc1f345

  • SSDEEP

    12288:jMr8y90e4boilTG1au4t+h5jAXqrrc7v1:TyT+oSG5jA9Z

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Targets

    • Target

      49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe

    • Size

      433KB

    • MD5

      6ceecba79d0895eb3d914391ca2cc2c0

    • SHA1

      c2a2387735af8ec9e73178f5294387e14771ab6f

    • SHA256

      49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701

    • SHA512

      aec66aa9227e074578a53b936f9b532a8748bfa05e8bfdff89a90ccdf1441432c6abb16a8b69b631d1685f88174dfe7b83327bfe25e875b78bd8fc14acc1f345

    • SSDEEP

      12288:jMr8y90e4boilTG1au4t+h5jAXqrrc7v1:TyT+oSG5jA9Z

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.