Overview

overview

10

Static

static

3

36189d79ce...0d.exe

windows7-x64

10

36189d79ce...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    066556e720a45c049f6887dcb2e50d66.bin

  • Size

    1018KB

  • Sample

    231011-jkdj5acb53

  • MD5

    e383ee95d709493948330d57b56f80c8

  • SHA1

    b815a38a45f4490f0be10ed08f322ed0bac2071b

  • SHA256

    78dec8de750ec13c91291c28fe71fa808a0268a6e198c4e7b2fd3d7cc8b25069

  • SHA512

    610e4c0f42667a5c075aa218c9d3b7ed981faa3d803274c185cc49a34167f279f8ccaae4350989c716eb16c7c43a8bce6d5520a19cf27ff28a34c0478c47e07a

  • SSDEEP

    24576:vj9rYpOnzwuJ0n/oBQLB3zheFUGSG85QC2/:vj1aS0uxCzhuUGhAQ3

Score
10/10
amadeyhealermysticredlinegruhadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php
Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Targets

    • Target

      36189d79cecb16a013cb2b7c68884036fd232474c5b019fce8d5f1595005810d.exe

    • Size

      1.0MB

    • MD5

      066556e720a45c049f6887dcb2e50d66

    • SHA1

      4c1c694615904bf83833242c0702810b924e2123

    • SHA256

      36189d79cecb16a013cb2b7c68884036fd232474c5b019fce8d5f1595005810d

    • SHA512

      9a1dc99198dfdf53e56791fd6ac21f1e0678eeda0fd1e2ac599ffe31b689ee209394279578e90e7ee942708c2d116807030f56b6c99fc845c06c3e3ca18d208c

    • SSDEEP

      24576:ByrPJgo92UDmUFxzB+Pl9QKSaKgm9URiRVTr3ZfLO2gNNakw:0rxn2ypyt9xJKgfiRVHZDBgNk

    Score
    10/10
    healerdropperevasionpersistencetrojanamadeymysticredlinegruhainfostealerstealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Mystic stealer payload

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks