General

  • Target

    1bbc3bff13812c25d47cd84bca3da2dc.exe

  • Size

    300KB

  • Sample

    241213-axw3kavken

  • MD5

    1bbc3bff13812c25d47cd84bca3da2dc

  • SHA1

    d3406bf8d0e9ac246c272fa284a35a3560bdbff5

  • SHA256

    0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1

  • SHA512

    181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f

  • SSDEEP

    6144:O2JKCwoXjMvjfTK/zNTdEpZ4m1qpxXQKQrUJ0tYRVAOTIdTsImm:8CwoXjMbTKLNhEpZ4m0vXQKQrxgu

Malware Config

Extracted

Family

redline

Botnet

eewx

C2

185.81.68.147:1912

Extracted

Family

amadey

Version

5.10

Botnet

0f3be6

C2

http://185.81.68.147

http://185.81.68.148

Attributes
  • install_dir

    ee29ea508b

  • install_file

    Gxtuum.exe

  • strings_key

    d3a5912ea69ad34a2387af70c8be9e21

  • url_paths

    /7vhfjke3/index.php

    /8Fvu5jh4DbS/index.php

rc4.plain

Targets

    • Target

      1bbc3bff13812c25d47cd84bca3da2dc.exe

    • Size

      300KB

    • MD5

      1bbc3bff13812c25d47cd84bca3da2dc

    • SHA1

      d3406bf8d0e9ac246c272fa284a35a3560bdbff5

    • SHA256

      0a17e2ca8f223de67c0864fac1d24c7bb2d0c796c46e9ce04e4dff374c577ea1

    • SHA512

      181b1e2bd08978b6ee3da2b48e0b113623b85c42ab8cec2a23bd5119aba7105fdeef9b7b00343d37b0c8344494640ce0a51615393def8242334420134f75871f

    • SSDEEP

      6144:O2JKCwoXjMvjfTK/zNTdEpZ4m1qpxXQKQrUJ0tYRVAOTIdTsImm:8CwoXjMbTKLNhEpZ4m0vXQKQrxgu

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks