General

  • Target

    18a3dc2a1a08dcdc2be3e22cde884279be1b9c3e3381811fa61691a37554f978

  • Size

    845KB

  • Sample

    241111-gvv6tatlh1

  • MD5

    6d77c047f88ad97370636d5ffbe942a8

  • SHA1

    3bbf77ff804308994e3c30fc405da5e7398faa28

  • SHA256

    18a3dc2a1a08dcdc2be3e22cde884279be1b9c3e3381811fa61691a37554f978

  • SHA512

    512b9d487211560ba4d885fc45535b23ab5d184403cf8457d3cc3bc46ddcc30b2cdd7c659e1b6bfd267a058cefa4ddd941734446f7820a36b8a4f299770c3449

  • SSDEEP

    24576:ayMxOsza64HODL8O+WJNhERL5Cb0zDGWrRE:hMxOJ6oODL8OBQ1DGWrR

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

line

C2

77.91.124.145:4125

Attributes
  • auth_value

    4b76fbe5517b89e3245dc3e5712a55e4

Extracted

Family

amadey

Version

3.69

Botnet

d5c6a6

C2

http://193.233.20.36

Attributes
  • install_dir

    c5d2db5804

  • install_file

    oneetx.exe

  • strings_key

    e87c4866b4a5eab34de1c0666fe62daf

  • url_paths

    /joomla/index.php

rc4.plain

Targets

    • Target

      18a3dc2a1a08dcdc2be3e22cde884279be1b9c3e3381811fa61691a37554f978

    • Size

      845KB

    • MD5

      6d77c047f88ad97370636d5ffbe942a8

    • SHA1

      3bbf77ff804308994e3c30fc405da5e7398faa28

    • SHA256

      18a3dc2a1a08dcdc2be3e22cde884279be1b9c3e3381811fa61691a37554f978

    • SHA512

      512b9d487211560ba4d885fc45535b23ab5d184403cf8457d3cc3bc46ddcc30b2cdd7c659e1b6bfd267a058cefa4ddd941734446f7820a36b8a4f299770c3449

    • SSDEEP

      24576:ayMxOsza64HODL8O+WJNhERL5Cb0zDGWrRE:hMxOJ6oODL8OBQ1DGWrR

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks