Overview

overview

10

Static

static

595d937d15...7a.exe

windows7-x64

10

595d937d15...7a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a.exe

  • Size

    199KB

  • Sample

    221114-1mtgssdg88

  • MD5

    24aefc511e8782b3560e2ac1b6848992

  • SHA1

    86853f21538d72f43a07504662fe9b2b1718bfde

  • SHA256

    595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a

  • SHA512

    860c016caf49ddd91cc425811b718a196b54afae4418fa91813141b87dd542795cb50d43dccf5007ecad88c2154875dc32b60e71282439de3cfebcc95464d6b3

  • SSDEEP

    3072:YF8XLVpJVntILIeKLOqbn/nRgDGOxMjHhQQE3K/AlxwV:YmHJALkOQ/WdyjG37xw

Score
10/10
amadeyredlinesmokeloader418736246_99rozena1114backdoorcollectiondiscoveryinfostealerspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

418736246_99

C2

mechanikal.top:3306

mechanikal.top:28786
Attributes
  • auth_value

    de0e3c583832e10f3a5332419d78aac0

Extracted

Family

redline

Botnet

rozena1114

C2

jalocliche.xyz:81

chardhesha.xyz:81
Attributes
  • auth_value

    9fefd743a3b62bcd7c3e17a70fbdb3a8

Targets

    • Target

      595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a.exe

    • Size

      199KB

    • MD5

      24aefc511e8782b3560e2ac1b6848992

    • SHA1

      86853f21538d72f43a07504662fe9b2b1718bfde

    • SHA256

      595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a

    • SHA512

      860c016caf49ddd91cc425811b718a196b54afae4418fa91813141b87dd542795cb50d43dccf5007ecad88c2154875dc32b60e71282439de3cfebcc95464d6b3

    • SSDEEP

      3072:YF8XLVpJVntILIeKLOqbn/nRgDGOxMjHhQQE3K/AlxwV:YmHJALkOQ/WdyjG37xw

    Score
    10/10
    smokeloaderbackdoortrojanamadeyredline418736246_99rozena1114collectiondiscoveryinfostealerspywarestealerupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks