General

  • Target

    4962575a2378d5c72e7a836ea766e2ad.exe

  • Size

    431KB

  • Sample

    241213-hjl97s1mgx

  • MD5

    4962575a2378d5c72e7a836ea766e2ad

  • SHA1

    549964178b12017622d3cbdda6dbfdef0904e7e2

  • SHA256

    eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

  • SHA512

    911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

  • SSDEEP

    12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

0f3be6

C2

http://185.81.68.147

http://185.81.68.148

Attributes
  • install_dir

    ee29ea508b

  • install_file

    Gxtuum.exe

  • strings_key

    d3a5912ea69ad34a2387af70c8be9e21

  • url_paths

    /7vhfjke3/index.php

    /8Fvu5jh4DbS/index.php

rc4.plain

Extracted

Family

redline

Botnet

eewx

C2

185.81.68.147:1912

Targets

    • Target

      4962575a2378d5c72e7a836ea766e2ad.exe

    • Size

      431KB

    • MD5

      4962575a2378d5c72e7a836ea766e2ad

    • SHA1

      549964178b12017622d3cbdda6dbfdef0904e7e2

    • SHA256

      eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

    • SHA512

      911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

    • SSDEEP

      12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks