Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    file.exe

  • Size

    233KB

  • Sample

    221218-x1g45sgd7y

  • MD5

    30bfff5f826b2587eb0af8103ebb4375

  • SHA1

    5b7bc30f5b133c237f35de24f85f799d51a6f0c4

  • SHA256

    7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

  • SHA512

    53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

  • SSDEEP

    6144:FYZwzmgg8G5frVYdqXx0UuDp5kNdRfwR:qKEVvXduDpofwR

Score
10/10
amadeyauroradcratredlinesmokeloadersocelarsinstallsinstalls1nokiaupadated.119backdoorcollectiondiscoveryinfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.61

C2

62.204.41.79/U7vfDb3kg/index.php

Extracted

Family

redline

Botnet

Upadated.119

C2

185.106.92.214:27015

Attributes
  • auth_value

    1b9932ed90389b18d9998126e80bd1ce

Extracted

Family

amadey

Version

3.50

C2

31.41.244.237/jg94cVd30f/index.php

Extracted

Family

amadey

Version

3.60

C2

62.204.41.13/gjend7w/index.php

193.42.33.28/game0ver/index.php

Extracted

Family

redline

Botnet

nokia

C2

31.41.244.198:4083

Attributes
  • auth_value

    3b38e056d594ae0cf1368e6e1daa3a4e

Extracted

Family

aurora

C2

45.144.30.146:8081

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157858242560/string4633.err

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157594021948/string792.err

Extracted

Family

redline

Botnet

installs1

C2

89.23.96.2:7253

Attributes
  • auth_value

    fb538922d8f77f00fb6c39f8066af176

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/asdfedfe8/

Extracted

Family

redline

Botnet

installs

C2

89.23.96.2:7253

Attributes
  • auth_value

    8d4428f372143572364f044ea9649d7f

Extracted

Family

amadey

Version

3.10

C2

hellomr.observer/f8dfksdj3/index.php

researchersgokick.rocks/f8dfksdj3/index.php

pleasetake.pictures/f8dfksdj3/index.php

Targets

    • Target

      file.exe

    • Size

      233KB

    • MD5

      30bfff5f826b2587eb0af8103ebb4375

    • SHA1

      5b7bc30f5b133c237f35de24f85f799d51a6f0c4

    • SHA256

      7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

    • SHA512

      53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

    • SSDEEP

      6144:FYZwzmgg8G5frVYdqXx0UuDp5kNdRfwR:qKEVvXduDpofwR

    Score
    10/10
    amadeyauroraredlinesmokeloadersocelarsnokiaupadated.119backdoorcollectiondiscoveryinfostealerpersistencespywarestealertrojandcratinstallsinstalls1rat

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars payload

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks