Overview

overview

10

Static

static

10

0x00060000...63.exe

windows7-x64

10

0x00060000...63.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0x000600000000072d-163.dat

  • Size

    236KB

  • Sample

    230203-w45tyaca4y

  • MD5

    fde8915d251fada3a37530421eb29dcf

  • SHA1

    44386a8947ddfab993409945dae05a772a13e047

  • SHA256

    6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

  • SHA512

    ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

  • SSDEEP

    6144:+VSoYbL/MOFBtDe+1T9uA/qruVy5NghHgVO:NoH3+uA+uVy5NAqO

Score
10/10
amadeyredlinesmokeloaderbigdickgonkabackdoorbootkitdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

gonka

C2

62.204.41.170:4179

Attributes
  • auth_value

    f017b1096da5cc257f8ca109051c5fbb

Extracted

Family

redline

Botnet

bigdick

C2

185.254.37.212:80

Attributes
  • auth_value

    88290259fe8dc49da48b125d03e6788c

Extracted

Family

redline

C2

85.31.44.66:17742

Attributes
  • auth_value

    e9a89e5b72a729171b1655add99ee280

Targets

    • Target

      0x000600000000072d-163.dat

    • Size

      236KB

    • MD5

      fde8915d251fada3a37530421eb29dcf

    • SHA1

      44386a8947ddfab993409945dae05a772a13e047

    • SHA256

      6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

    • SHA512

      ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

    • SSDEEP

      6144:+VSoYbL/MOFBtDe+1T9uA/qruVy5NghHgVO:NoH3+uA+uVy5NAqO

    Score
    10/10
    amadeyredlinegonkabootkitdiscoveryevasioninfostealerpersistencespywarestealertrojansmokeloaderbigdickbackdoor

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks