Overview

overview

10

Static

static

1

d539b20ba2...7a.exe

windows7-x64

10

d539b20ba2...7a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d539b20ba21090a325b74ba95d3c517a.exe

  • Size

    1.1MB

  • Sample

    230405-s1wv3sff74

  • MD5

    d539b20ba21090a325b74ba95d3c517a

  • SHA1

    3aa76b8c7cfe14ba388d5060d07252eb168e4a2e

  • SHA256

    db5f8ac767385c72f311c050fd411b824a6b42b6b92872a4d9ef133747ed7da9

  • SHA512

    cbc2a86a76731bf219c2b134ccdba944da44da7957dd2f7304c6fa13f2b6b6afb834e2cb6c49f2db7e5e3b5f28d637f97d345af09f50b1f4f35c7e0581de9feb

  • SSDEEP

    24576:iy+1CG5q4PXX0LFvXo83mEI4lCFV2ZKoTv6hInFgGSm1y3mW:J+YG5q4cLFQ0mEI4CFKfTv6hInjim

Score
10/10
amadeyauroramarsstealerredlinexwormanh123defaultlinosnormpizdundiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

linos

C2

77.91.124.145:4125

Attributes
  • auth_value

    85221849d0efabfea4d7563bb7454724

Extracted

Family

amadey

Version

3.69

C2

193.233.20.36/joomla/index.php

Extracted

Family

aurora

C2

141.98.6.253:8081

Extracted

Family

redline

Botnet

Anh123

C2

199.115.193.116:11300

Attributes
  • auth_value

    db990971ec3911c24ea05eeccc2e1f60

Extracted

Family

redline

Botnet

Pizdun

C2

94.142.138.219:20936

Attributes
  • auth_value

    20a1f7fe6575c6613ee7cc5d3025af70

Extracted

Family

xworm

Attributes
  • install_file

    SvcHostSC.exe

Extracted

Family

marsstealer

Botnet

Default

C2

vooip5884.ddns.net/YUHI87PJM.php

Targets

    • Target

      d539b20ba21090a325b74ba95d3c517a.exe

    • Size

      1.1MB

    • MD5

      d539b20ba21090a325b74ba95d3c517a

    • SHA1

      3aa76b8c7cfe14ba388d5060d07252eb168e4a2e

    • SHA256

      db5f8ac767385c72f311c050fd411b824a6b42b6b92872a4d9ef133747ed7da9

    • SHA512

      cbc2a86a76731bf219c2b134ccdba944da44da7957dd2f7304c6fa13f2b6b6afb834e2cb6c49f2db7e5e3b5f28d637f97d345af09f50b1f4f35c7e0581de9feb

    • SSDEEP

      24576:iy+1CG5q4PXX0LFvXo83mEI4lCFV2ZKoTv6hInFgGSm1y3mW:J+YG5q4cLFQ0mEI4CFKfTv6hInjim

    Score
    10/10
    amadeyauroramarsstealerredlinexwormanh123defaultlinosnormpizdundiscoveryevasioninfostealerpersistenceratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Mars Stealer

      An infostealer written in C++ based on other infostealers.

      stealermarsstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks