Overview

overview

10

Static

static

10

812b8d76e0...02.exe

windows7-x64

10

812b8d76e0...02.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    812b8d76e0cf1e825bbfcf787ebdd902.exe

  • Size

    236KB

  • Sample

    230201-sgsdjsac43

  • MD5

    812b8d76e0cf1e825bbfcf787ebdd902

  • SHA1

    9f981c60bb4195657340519e13f1422e5cc8967b

  • SHA256

    6513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34

  • SHA512

    9a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7

  • SSDEEP

    6144:r0oFwGz+5JJw20a1bfjVEmAuVy1OVYvk8gF:rpLxa5VsuVy8VJ

Score
10/10
amadeyredlinerhadamanthyssmokeloader@redlinevip cloud (tg: @fatherofcarders)bigdickdruidfredynewnew1temposs6678backdoorbootkitdiscoveryevasioninfostealerpersistencespywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

amadey

Version

3.66

C2

193.233.20.4/t6r48nSa/index.php

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

druid

C2

62.204.41.170:4132

Attributes
  • auth_value

    fddcb4126f1d0ea4ac975511b3530e72

Extracted

Family

redline

C2

85.31.44.66:17742

Attributes
  • auth_value

    e9a89e5b72a729171b1655add99ee280

Extracted

Family

redline

Botnet

fredy

C2

62.204.41.170:4132

Attributes
  • auth_value

    880249eef9593d49a1a3cddf57c5cb35

Extracted

Family

redline

Botnet

new1

C2

176.113.115.16:4122

Attributes
  • auth_value

    ac44cbde6633acc9d67419c7278d5c70

Extracted

Family

redline

Botnet

temposs6678

C2

82.115.223.9:15486

Attributes
  • auth_value

    af399e6a2fe66f67025541cf71c64313

Extracted

Family

redline

Botnet

new

C2

176.113.115.16:4122

Attributes
  • auth_value

    0ae189161615f61e951d226417eab9d5

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

C2

151.80.89.233:13553

Attributes
  • auth_value

    fbee175162920530e6bf470c8003fa1a

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

redline

Botnet

bigdick

C2

185.254.37.212:80

Attributes
  • auth_value

    88290259fe8dc49da48b125d03e6788c

Targets

    • Target

      812b8d76e0cf1e825bbfcf787ebdd902.exe

    • Size

      236KB

    • MD5

      812b8d76e0cf1e825bbfcf787ebdd902

    • SHA1

      9f981c60bb4195657340519e13f1422e5cc8967b

    • SHA256

      6513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34

    • SHA512

      9a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7

    • SSDEEP

      6144:r0oFwGz+5JJw20a1bfjVEmAuVy1OVYvk8gF:rpLxa5VsuVy8VJ

    Score
    10/10
    amadeyredlinerhadamanthyssmokeloader@redlinevip cloud (tg: @fatherofcarders)bigdickdruidfredynewnew1temposs6678backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupxvmprotectbootkit

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect rhadamanthys stealer shellcode

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Scripting

1
T1064

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks