Overview

overview

10

Static

static

1

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    setup.exe

  • Size

    1.1MB

  • Sample

    230418-akggcagf78

  • MD5

    74ef7f65c21d4b23e4dc6d02373e90bd

  • SHA1

    09863be069742b44078f4a5cc2aa2a434b3dd3b3

  • SHA256

    a8243ba0bb55b3755468d7b71f534ef914158b339b0896ad11111c303e49e8f6

  • SHA512

    ddf73fe20f81ba56b267a78297cf3bf295ca4b8875f555d52a6af7f2d59ad631b160a61d96ddc2a390289a52b58e8b1922120ea04a08cb4b91c32de60465ec1b

  • SSDEEP

    24576:iyEmYm/ah6ELVAZQP4YzUSHBYPorN+s0Pp:Jpt0HZACP4nuBFrQlP

Score
10/10
amadeyicarusstealerredlinesectopratghostworkermrpenguindiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

MrPenguin

C2

86.38.225.74:16808

Extracted

Family

redline

Botnet

Ghostworker

C2

127.0.0.1:54130

Extracted

Family

icarusstealer

C2

5.75.162.221

Attributes
  • payload_url

    http://193.31.116.239/crypt/public/Update_Downloads/patata.jpg

Targets

    • Target

      setup.exe

    • Size

      1.1MB

    • MD5

      74ef7f65c21d4b23e4dc6d02373e90bd

    • SHA1

      09863be069742b44078f4a5cc2aa2a434b3dd3b3

    • SHA256

      a8243ba0bb55b3755468d7b71f534ef914158b339b0896ad11111c303e49e8f6

    • SHA512

      ddf73fe20f81ba56b267a78297cf3bf295ca4b8875f555d52a6af7f2d59ad631b160a61d96ddc2a390289a52b58e8b1922120ea04a08cb4b91c32de60465ec1b

    • SSDEEP

      24576:iyEmYm/ah6ELVAZQP4YzUSHBYPorN+s0Pp:Jpt0HZACP4nuBFrQlP

    Score
    10/10
    amadeyicarusstealerredlinesectopratghostworkermrpenguindiscoveryevasioninfostealerpersistenceratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • IcarusStealer

      Icarus is a modular stealer written in C# First adverts in July 2022.

      stealericarusstealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

2
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks