General

  • Target

    dd1e3f38ae7711d270748012af613950.exe

  • Size

    301KB

  • Sample

    241213-hvx6vatkgm

  • MD5

    dd1e3f38ae7711d270748012af613950

  • SHA1

    b3b90eec3507f523aa63802cc16e5248c8ef0ea8

  • SHA256

    2997292293c332e73b11fa28126b6fbefea75a6bb02001eb017de46797d4e4ec

  • SHA512

    0eff0cba972b6622fb59683fe4d15d1b6c1ef106166189f60dcd7b4c76b6ceb82fd5c71433dc61394f03eff03575f2be27dec6ac8ab064491710263879b11bca

  • SSDEEP

    6144:Y2J31coxDzgqSAy3/wLZRYa2dWSS8ySQIaTgHJ0tYRV4OeJiqbQ5rF4:71coxDzgxAKILIa2d1S8ySQIaTpjKrF4

Malware Config

Extracted

Family

redline

Botnet

eewx

C2

185.81.68.147:1912

Targets

    • Target

      dd1e3f38ae7711d270748012af613950.exe

    • Size

      301KB

    • MD5

      dd1e3f38ae7711d270748012af613950

    • SHA1

      b3b90eec3507f523aa63802cc16e5248c8ef0ea8

    • SHA256

      2997292293c332e73b11fa28126b6fbefea75a6bb02001eb017de46797d4e4ec

    • SHA512

      0eff0cba972b6622fb59683fe4d15d1b6c1ef106166189f60dcd7b4c76b6ceb82fd5c71433dc61394f03eff03575f2be27dec6ac8ab064491710263879b11bca

    • SSDEEP

      6144:Y2J31coxDzgqSAy3/wLZRYa2dWSS8ySQIaTgHJ0tYRV4OeJiqbQ5rF4:71coxDzgxAKILIa2d1S8ySQIaTpjKrF4

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks