General

  • Target

    cd7e61a7a13489775a3dafaf265b0cb838775e0f742fcf30176b215d3bed76ab

  • Size

    1.5MB

  • Sample

    241106-xdt57axqgk

  • MD5

    20401c9caf420379dab9ba0ab0e59493

  • SHA1

    911143011b2b7a48a882bbade147942e8d8e0352

  • SHA256

    cd7e61a7a13489775a3dafaf265b0cb838775e0f742fcf30176b215d3bed76ab

  • SHA512

    6233906168d3fedffd9b068faf746a72adb941e4dd2c9e649a3485d05f159039b61c6f3d0b2a880d5b1235e46b6ac539090ab4afcfed5a430563e3c178d36fc9

  • SSDEEP

    24576:yyf+J39IeVYq+f4y6bTu+lCPERM4VZNvCCB0E2Jp3LBLrFHE2BYWG/gO:ZfC39rVuWGSkuLrNvq/XLdYWYg

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

Botnet

47f88f

C2

http://193.201.9.43

Attributes
  • install_dir

    595f021478

  • install_file

    oneetx.exe

  • strings_key

    4971eddfd380996ae21bea987102e417

  • url_paths

    /plays/chapter/index.php

rc4.plain

Extracted

Family

redline

Botnet

maxi

C2

185.161.248.90:4125

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Targets

    • Target

      cd7e61a7a13489775a3dafaf265b0cb838775e0f742fcf30176b215d3bed76ab

    • Size

      1.5MB

    • MD5

      20401c9caf420379dab9ba0ab0e59493

    • SHA1

      911143011b2b7a48a882bbade147942e8d8e0352

    • SHA256

      cd7e61a7a13489775a3dafaf265b0cb838775e0f742fcf30176b215d3bed76ab

    • SHA512

      6233906168d3fedffd9b068faf746a72adb941e4dd2c9e649a3485d05f159039b61c6f3d0b2a880d5b1235e46b6ac539090ab4afcfed5a430563e3c178d36fc9

    • SSDEEP

      24576:yyf+J39IeVYq+f4y6bTu+lCPERM4VZNvCCB0E2Jp3LBLrFHE2BYWG/gO:ZfC39rVuWGSkuLrNvq/XLdYWYg

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks