Overview

overview

10

Static

static

3

f029a18625...06.exe

windows7-x64

10

f029a18625...06.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b347a0f26d057878a1c24927ced02b30.bin

  • Size

    529KB

  • Sample

    230620-b17txaad9v

  • MD5

    b58fcf6af38810ff3d35677426d6234e

  • SHA1

    5e673160dc2332113619b3d64debeb150238cf50

  • SHA256

    c2743ffc093d1ce9be6231c72a5d03a5029e5a913632e0d0ed032b8db5ce1b0e

  • SHA512

    18ce336f923575371eec2619882e83de00d9a70877943583e2de4cf6d037d2c36ea86d17989f4b5773b309c29d4b118b582e730bbd5a638e1781b22de6934fef

  • SSDEEP

    12288:wT5w3OAOZMjLS0tLwsGwn7pk+6PZ7UKq0PLv:d3uZWL3k89F+dUkjv

Score
10/10
amadeyredlineduzajasondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

duza

C2

83.97.73.129:19071

Attributes
  • auth_value

    787a4e3bbc78fd525526de1098cb0621

Extracted

Family

amadey

Version

3.84

C2

77.91.68.63/doma/net/index.php

Extracted

Family

redline

Botnet

jason

C2

83.97.73.129:19071

Attributes
  • auth_value

    87d1dc01751f148e9bec02edc71c5d94

Targets

    • Target

      f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206.exe

    • Size

      573KB

    • MD5

      b347a0f26d057878a1c24927ced02b30

    • SHA1

      293e5184eb24a7dc83468ad14a9449e9ca67122b

    • SHA256

      f029a186250840ab5492c2d8f9fee5197b9919f1111e8d11c4c6c6e8bf7f8206

    • SHA512

      03cfefb658c0f145a61c99bdeca2602df4527d2a47c885990e83d6848d099503ba7fd354edefe4e5399e09519bb4eebc7428a21d9f82e4eb342763ff7e1c0246

    • SSDEEP

      12288:dMrOy90cyrwseeuT1W1CvL/7qFwyFPH4/YRsI:vypxreuprLOFwK4/YRr

    Score
    10/10
    amadeyredlineduzajasondiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks