General

  • Target

    25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa

  • Size

    491KB

  • Sample

    241109-y66kcstrem

  • MD5

    96b5fee41c4754ee313a7ea6e5aadf7d

  • SHA1

    4762efce0265a98676c21c1d3498c3c0890d63c1

  • SHA256

    25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa

  • SHA512

    118fca6138c35dc3afe9f04d08a4eb6142e3468050e250fbf924c4f0980231cdcc44742c4de963b40223fcd303dd9b36517527a68b09fc4e3d029289d7c438da

  • SSDEEP

    12288:6Mrgy90vEZmEyW/eR/MNHafVyr4Na5iL/+r:+y0my4O06fsr4NU6+r

Malware Config

Extracted

Family

redline

Botnet

lipo

C2

217.196.96.101:4132

Attributes
  • auth_value

    3183df2d03b17daa3c5ecc95e60086a5

Extracted

Family

amadey

Version

3.70

Botnet

5d3738

C2

http://212.113.119.255

Attributes
  • install_dir

    5cb6818d6c

  • install_file

    oneetx.exe

  • strings_key

    79059fc55781c343f4be3c9266db011b

  • url_paths

    /joomla/index.php

rc4.plain

Targets

    • Target

      25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa

    • Size

      491KB

    • MD5

      96b5fee41c4754ee313a7ea6e5aadf7d

    • SHA1

      4762efce0265a98676c21c1d3498c3c0890d63c1

    • SHA256

      25c4df2ef210208ee30b15a7fcedfcf26765cfef346de3e9478d80b2b0a05afa

    • SHA512

      118fca6138c35dc3afe9f04d08a4eb6142e3468050e250fbf924c4f0980231cdcc44742c4de963b40223fcd303dd9b36517527a68b09fc4e3d029289d7c438da

    • SSDEEP

      12288:6Mrgy90vEZmEyW/eR/MNHafVyr4Na5iL/+r:+y0my4O06fsr4NU6+r

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks