Overview

overview

10

Static

static

1

6f88b9e1e4...76.exe

windows7-x64

10

6f88b9e1e4...76.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76

  • Size

    244KB

  • Sample

    230310-ktw89scd76

  • MD5

    78860803c7f6f7e9a9a21034adc13db1

  • SHA1

    c6ed85e97a01f2111af9ce5a376203cb8ea4594b

  • SHA256

    6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76

  • SHA512

    e217b35d38740796a25700c90d1e657fc9d62bbe9b7149dd667b1fa453f0eb7e0ac5f3edb305a5167c666c632164bc1ae7a7329895f38051eeb4a48daded3270

  • SSDEEP

    3072:atjySptLGcM23soO+xvmMwf7uRZDF0L3+OVnv+KxGyDnx4CR2a0:asYtLj3FO+af7qDF0L3+OVWKxGUuM2a

Score
10/10
amadeyredlinerhadamanthyssmokeloader02-700-222023agilenetbackdoorevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Botnet

2023

Extracted

Family

smokeloader

Version

2022

C2

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

02-700-2

C2

167.235.133.96:43849

Attributes
  • auth_value

    8af50b3310e79fa317eef66b1e92900f

Extracted

Family

redline

Botnet

2

C2

51.81.126.50:19836

Attributes
  • auth_value

    7be92ecdf2c2f5400aa90f72d61cb2a4

Extracted

Family

amadey

Version

3.65

C2

hellomr.observer/7gjD0Vs3d/index.php

researchersgokick.rocks/7gjD0Vs3d/index.php

pleasetake.pictures/7gjD0Vs3d/index.php

Targets

    • Target

      6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76

    • Size

      244KB

    • MD5

      78860803c7f6f7e9a9a21034adc13db1

    • SHA1

      c6ed85e97a01f2111af9ce5a376203cb8ea4594b

    • SHA256

      6f88b9e1e4e6f5e2898e401f1826b99739654752ee83bf0495ff048dca422b76

    • SHA512

      e217b35d38740796a25700c90d1e657fc9d62bbe9b7149dd667b1fa453f0eb7e0ac5f3edb305a5167c666c632164bc1ae7a7329895f38051eeb4a48daded3270

    • SSDEEP

      3072:atjySptLGcM23soO+xvmMwf7uRZDF0L3+OVnv+KxGyDnx4CR2a0:asYtLj3FO+af7qDF0L3+OVWKxGUuM2a

    Score
    10/10
    smokeloader2023backdoortrojanamadeyredlinerhadamanthys02-700-22agilenetevasioninfostealerpersistenceransomwarespywarestealerthemida

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Deletion

2
T1107

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

7
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks