General

  • Target

    b5f60e970382972352178877758671592ba5eec5a0ec056e3a687de27c041960

  • Size

    982KB

  • Sample

    241106-np2vqsylgv

  • MD5

    b59abb1bc590dbebb51513fc7759d7ac

  • SHA1

    896944faac192ef45ca6ab649d6ddc4f9ec4c1ae

  • SHA256

    b5f60e970382972352178877758671592ba5eec5a0ec056e3a687de27c041960

  • SHA512

    8edb867530371b64af2fefe753c52c3395c5691c1688bff9de310143161072de4b62ef356d38f1ad3a908b4f1e32c836707ad16a6fdb19d965a00216b631f669

  • SSDEEP

    24576:ZyCasMKOmRgs8+14JPD0BgpAvyivsWEuh5N+:MsZBiAKivsW

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

Botnet

47f88f

C2

http://193.201.9.43

Attributes
  • install_dir

    595f021478

  • install_file

    oneetx.exe

  • strings_key

    4971eddfd380996ae21bea987102e417

  • url_paths

    /plays/chapter/index.php

rc4.plain

Targets

    • Target

      b5f60e970382972352178877758671592ba5eec5a0ec056e3a687de27c041960

    • Size

      982KB

    • MD5

      b59abb1bc590dbebb51513fc7759d7ac

    • SHA1

      896944faac192ef45ca6ab649d6ddc4f9ec4c1ae

    • SHA256

      b5f60e970382972352178877758671592ba5eec5a0ec056e3a687de27c041960

    • SHA512

      8edb867530371b64af2fefe753c52c3395c5691c1688bff9de310143161072de4b62ef356d38f1ad3a908b4f1e32c836707ad16a6fdb19d965a00216b631f669

    • SSDEEP

      24576:ZyCasMKOmRgs8+14JPD0BgpAvyivsWEuh5N+:MsZBiAKivsW

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks