General

  • Target

    08d23e99a66a2d8517393ce1a0f92006c56af084571c604af07810b98afca29f

  • Size

    1.5MB

  • Sample

    241109-d6hs3szjbp

  • MD5

    1754ab1e3b2780f55d8060402db08582

  • SHA1

    f66e43dcd80e231e8618d2200460fb78cabe65cc

  • SHA256

    08d23e99a66a2d8517393ce1a0f92006c56af084571c604af07810b98afca29f

  • SHA512

    eed49f37f51ba78e49d6b0b9087fe38740e8047f4b2dfd4490d03238d484f8df6cb8a90e1e5c9ec1b5a1164ad9cae352eb1a544e78d8e93d69a3be352558303e

  • SSDEEP

    24576:XyqKNIlAIWy4gNu50Q17rvy4QtDBYc7y9LKZt6lRdnW/dJin4INIXeZ8GM/Bs3k9:iGlAIWy4gNuB5rylttYQZt6lYfi1NIXa

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes
  • auth_value

    7da4dfa153f2919e617aa016f7c36008

Targets

    • Target

      08d23e99a66a2d8517393ce1a0f92006c56af084571c604af07810b98afca29f

    • Size

      1.5MB

    • MD5

      1754ab1e3b2780f55d8060402db08582

    • SHA1

      f66e43dcd80e231e8618d2200460fb78cabe65cc

    • SHA256

      08d23e99a66a2d8517393ce1a0f92006c56af084571c604af07810b98afca29f

    • SHA512

      eed49f37f51ba78e49d6b0b9087fe38740e8047f4b2dfd4490d03238d484f8df6cb8a90e1e5c9ec1b5a1164ad9cae352eb1a544e78d8e93d69a3be352558303e

    • SSDEEP

      24576:XyqKNIlAIWy4gNu50Q17rvy4QtDBYc7y9LKZt6lRdnW/dJin4INIXeZ8GM/Bs3k9:iGlAIWy4gNuB5rylttYQZt6lYfi1NIXa

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks