General

  • Target

    97b1a9dacb29308a42c991f6fd44e77599b83f97669d430255956410c3147c7f

  • Size

    1.4MB

  • Sample

    241106-r38rzsvjbn

  • MD5

    a65f4c726748b61eec0c9b92dc317a9c

  • SHA1

    96da1edfb325015fceefe3bb8f8aa8bac0f97afe

  • SHA256

    97b1a9dacb29308a42c991f6fd44e77599b83f97669d430255956410c3147c7f

  • SHA512

    592c83bacc8656bad1b9437fa98359387da998b4c0dbf88acc2c4ca052d6a9791eaf68f04d244ffec3055b0d1a4bd936a8a38f5fc27f5bf3b91401210c954056

  • SSDEEP

    24576:tyX6oXre5TlXuYO53UOZZhzd9/bagrdVJDYTE96DED6wbLYsDEjlw01cFIZ92Ah+:IX6o6BRuY+XHd9/W8vJMTE4EewbUnjFa

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

Botnet

47f88f

C2

http://193.201.9.43

Attributes
  • install_dir

    595f021478

  • install_file

    oneetx.exe

  • strings_key

    4971eddfd380996ae21bea987102e417

  • url_paths

    /plays/chapter/index.php

rc4.plain

Extracted

Family

redline

Botnet

maxi

C2

185.161.248.90:4125

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Targets

    • Target

      97b1a9dacb29308a42c991f6fd44e77599b83f97669d430255956410c3147c7f

    • Size

      1.4MB

    • MD5

      a65f4c726748b61eec0c9b92dc317a9c

    • SHA1

      96da1edfb325015fceefe3bb8f8aa8bac0f97afe

    • SHA256

      97b1a9dacb29308a42c991f6fd44e77599b83f97669d430255956410c3147c7f

    • SHA512

      592c83bacc8656bad1b9437fa98359387da998b4c0dbf88acc2c4ca052d6a9791eaf68f04d244ffec3055b0d1a4bd936a8a38f5fc27f5bf3b91401210c954056

    • SSDEEP

      24576:tyX6oXre5TlXuYO53UOZZhzd9/bagrdVJDYTE96DED6wbLYsDEjlw01cFIZ92Ah+:IX6o6BRuY+XHd9/W8vJMTE4EewbUnjFa

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks