Overview

overview

10

Static

static

3

New Text Document.exe

windows10-2004-x64

10

Resubmissions

17-11-2023 19:12

231117-xwf2aaeb6w 10

13-11-2023 20:48

231113-zlyjpafe33 10

11-11-2023 00:27

231111-asanrsce88 10

26-10-2023 01:21

231026-bqq4eaae92 10

17-10-2023 19:09

231017-xt332ahd24 10

14-10-2023 18:16

231014-wwjlqsgc23 10

08-10-2023 21:51

231008-1qgmeagc31 10

03-10-2023 17:46

231003-wckppaed21 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Text Document.exe

  • Size

    4KB

  • Sample

    231003-wckppaed21

  • MD5

    a239a27c2169af388d4f5be6b52f272c

  • SHA1

    0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

  • SHA256

    98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

  • SHA512

    f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

  • SSDEEP

    48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score
10/10
amadeyphemedroneredlinesectopratstealcwarzoneratcheatclientfileevasioninfostealerratstealerthemidatrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.alba-consultants-be.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nViT!Rw7

Extracted

Family

stealc

C2

http://aidandylan.top

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

redline

Botnet

clientfile

C2

194.180.49.159:80

Extracted

Family

warzonerat

C2

osiarus.duckdns.org:4244

Extracted

Family

redline

Botnet

cheat

C2

155.94.129.4:50514

Targets

    • Target

      New Text Document.exe

    • Size

      4KB

    • MD5

      a239a27c2169af388d4f5be6b52f272c

    • SHA1

      0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

    • SHA256

      98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

    • SHA512

      f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

    • SSDEEP

      48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

    Score
    10/10
    amadeyphemedroneredlinesectopratstealcwarzoneratcheatclientfileevasioninfostealerratstealerthemidatrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks