Overview

overview

10

Static

static

1

New Compre...er.zip

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Compressed (zipped) Folder.zip

  • Size

    738B

  • Sample

    230930-t1sn4afc65

  • MD5

    88301dec94819a0ad71fff9adcfae9f1

  • SHA1

    a2e88e57e5325c9825b60a18acbd4d39fa70559a

  • SHA256

    67a4b500b6afd7328ff998bba24e4289c9cb94330f2999e652def70b3cc1b4ec

  • SHA512

    95399a665f9620125486fd3c7d5331b8a094ff857c79f39788e48e67cf8f3b87594652ac41b07304337c69e03310cde5b4b737b4d3f6d5825668eb1ee7c4102a

Score
10/10
amadeyauroraformbookredlinesmokeloaderyt logs cloudge06sy22backdoorevasioninfostealerratspywarestealertrojanupx

Malware Config

Extracted

Family

aurora

C2

212.87.204.93:8081

Extracted

Family

formbook

Version

4.1

Campaign

ge06

Decoy

azaharparis.com

nationaleventsafety.com

covesstudy.com

quinshon4.com

moderco.net

trailblazerbaby.com

time-edu.net

azeemtourism.com

anakmedan3.click

bookinternationaltours.com

ulksht.top

newswirex.com

dingg.net

waveoflife.pro

miamirealestatecommercial.com

rtplive77.xyz

bowllywood.com

automation-tools-84162.bond

booptee.com

ebx.lat

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes
  • install_dir

    1ff8bec27e

  • install_file

    nhdues.exe

  • strings_key

    2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

YT LOGS CLOUD

C2

176.123.4.46:33783

Attributes
  • auth_value

    f423cd8452a39820862c1ea501db4ccf

Targets

    • Target

      New Compressed (zipped) Folder.zip

    • Size

      738B

    • MD5

      88301dec94819a0ad71fff9adcfae9f1

    • SHA1

      a2e88e57e5325c9825b60a18acbd4d39fa70559a

    • SHA256

      67a4b500b6afd7328ff998bba24e4289c9cb94330f2999e652def70b3cc1b4ec

    • SHA512

      95399a665f9620125486fd3c7d5331b8a094ff857c79f39788e48e67cf8f3b87594652ac41b07304337c69e03310cde5b4b737b4d3f6d5825668eb1ee7c4102a

    Score
    10/10
    amadeyauroraformbookredlinesmokeloaderyt logs cloudge06sy22backdoorevasioninfostealerratspywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Formbook payload

      rat

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks