General

  • Target

    b1d2b4bb41650a04764460c050c1d52defd83b7f5aa53c7e848f10870b46c1c9

  • Size

    103KB

  • Sample

    231011-hpp82sgb51

  • MD5

    0aa69a90bb130153f226553d7ff823c6

  • SHA1

    38be605582db9520952dcaf453fab50d2ba6d428

  • SHA256

    ec02f4f3e91f6c92dc012f7885ca9722628d48613d14c485403d33e8c1b7fe90

  • SHA512

    f781898ee70e7b1a9d3ea74cdf494c2552a32d0b2594d9d4ab05724eb6ca3e6ed9d6bb32a1b6d79930f4e5e63e555b5c52142a5049c1575af89eb4c775539f50

  • SSDEEP

    3072:4LTzrHEDjomznpCacXyS+ZLRyy4c1m6J/n:4LXmD8hX8ZNyCm6xn

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

6012068394_99

C2

https://pastebin.com/raw/8baCJyMF

Extracted

Family

redline

Botnet

pixelscloud

C2

85.209.176.171:80

Targets

    • Target

      b1d2b4bb41650a04764460c050c1d52defd83b7f5aa53c7e848f10870b46c1c9

    • Size

      241KB

    • MD5

      01da4e3aedd22bf8346998b8a04bb044

    • SHA1

      647b2fb6cfcb4addeb3223d86995c0033fbe1f8b

    • SHA256

      b1d2b4bb41650a04764460c050c1d52defd83b7f5aa53c7e848f10870b46c1c9

    • SHA512

      ab7eb9fed68f8785d84a4bacd783c9d002aed47c9a4066fe20b6cb014a4a35ac73dc04ff2e9cb5ed5ca4aca4d8a064527f099d302cfc36c4da5ddfec560b8c04

    • SSDEEP

      6144:V7Vj3uVUn27+6qQx41QPF2nnugMeS2SpY:xwYfQx9FOnugMeS2

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Healer

      Healer an antivirus disabler dropper.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks