Overview

overview

10

Static

static

3

98e6f328e0...6a.exe

windows7-x64

10

98e6f328e0...6a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2feacea8014cfa57f7a298a10c8bac74.bin

  • Size

    539KB

  • Sample

    230620-bgs7eahc29

  • MD5

    0ea56f56293f3e23c1e29833eba20ca1

  • SHA1

    9383d48f369da2f653c25010d0d93db83d211a7c

  • SHA256

    522eb869f2d5e95fa95009b949b8263a020507199dc487be33429fc0f72d2bd2

  • SHA512

    32c176c581e7645db459c4bdffd497bc364b1be3c6aff15718f7b7130fc6d4f7d2b362136de65e26b9d7372b38d9c34e8ebc1cabb729459a71cd4b13d74acc46

  • SSDEEP

    12288:0OR2b2ooBjsKynwnKbxRFAzQHkRf7nJZyFhF2Zrdd57U:0cI2I12UfsQHkRfDJZumZrdX7U

Score
10/10
amadeyredlineduzajasondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

jason

C2

83.97.73.129:19071

Attributes
  • auth_value

    87d1dc01751f148e9bec02edc71c5d94

Extracted

Family

redline

Botnet

duza

C2

83.97.73.129:19071

Attributes
  • auth_value

    787a4e3bbc78fd525526de1098cb0621

Extracted

Family

amadey

Version

3.84

C2

77.91.68.63/doma/net/index.php

Targets

    • Target

      98e6f328e026d4ae0241c766af9e4cf8cfe4b6d694fe01acde39f175eb973d6a.exe

    • Size

      583KB

    • MD5

      2feacea8014cfa57f7a298a10c8bac74

    • SHA1

      b11c5cf834488fe975d243e0bffff3045b335286

    • SHA256

      98e6f328e026d4ae0241c766af9e4cf8cfe4b6d694fe01acde39f175eb973d6a

    • SHA512

      91379480094f7f81c8f9fdbb4a9e32985788b0c9e599751124a29fc4c126953d45e2e7af4d1392160aa095fd57bf4248d529a4c79f64a64aef1be0242f12d1aa

    • SSDEEP

      12288:7MrYy909dvAMaZoJbKH5AIMbkotOAB3XWu1CBqsIvrpqPquyl:HymEZ+bKGdb/J3X7sBqFryquyl

    Score
    10/10
    amadeyredlineduzajasondiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks