General

  • Target

    ae76f10ac2934f7fe175d79540fa20b19366a765ce137b72ddb24a85b33b19e7

  • Size

    389KB

  • Sample

    241110-bsfqfswern

  • MD5

    941f5827b877fececa48f58e3fdc1f0e

  • SHA1

    35da0528cb0e22471cca109789591d603f550337

  • SHA256

    ae76f10ac2934f7fe175d79540fa20b19366a765ce137b72ddb24a85b33b19e7

  • SHA512

    b55ea6b9bc42781c207af1935bfa9e7e60ac4dfb6fe3746fba4e8af3db28bd981237760ca8bc726c9d2bcd570f466156248d394baca34e59c0092a7bba94ea6a

  • SSDEEP

    6144:Kcy+bnr+Ep0yN90QElU8vFITr28UVeWx9wKRSzrXTqQkJzBVhXEfieumZRNU/cq:AMrYy901Je4EXRkJmieumZ0

Malware Config

Extracted

Family

amadey

Version

3.85

Botnet

de7e5a

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Targets

    • Target

      ae76f10ac2934f7fe175d79540fa20b19366a765ce137b72ddb24a85b33b19e7

    • Size

      389KB

    • MD5

      941f5827b877fececa48f58e3fdc1f0e

    • SHA1

      35da0528cb0e22471cca109789591d603f550337

    • SHA256

      ae76f10ac2934f7fe175d79540fa20b19366a765ce137b72ddb24a85b33b19e7

    • SHA512

      b55ea6b9bc42781c207af1935bfa9e7e60ac4dfb6fe3746fba4e8af3db28bd981237760ca8bc726c9d2bcd570f466156248d394baca34e59c0092a7bba94ea6a

    • SSDEEP

      6144:Kcy+bnr+Ep0yN90QElU8vFITr28UVeWx9wKRSzrXTqQkJzBVhXEfieumZRNU/cq:AMrYy901Je4EXRkJmieumZ0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks