Overview

overview

10

Static

static

10

28d3884e2e...32.exe

windows7-x64

10

28d3884e2e...32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    28d3884e2ede32105da54c5050ac036ff19029689ffd6bedb21e7e92d2463e32

  • Size

    103KB

  • Sample

    231011-rjsxesec37

  • MD5

    1f521f2effe5cf2e7e7c043e2abc2bf8

  • SHA1

    3ecd76079361db4f98dfbc27d767b1a10fa1a01a

  • SHA256

    43bc385561b0d5cf39cbd784dc3ee7d8db1a3ea7d02d35d5dee415cf2ff49d04

  • SHA512

    ca3a7f3a1f6ca3c4eb61af91253a225337be66bd032a48ff0bdc83a449719f30d9029923e08e613bf5b042c1332d1b366b75c6e546e62d0f3f0fe704898aeafc

  • SSDEEP

    3072:vLTzrHEDjomznpCacXyS+ZLRyy4u1m6JB:vLXmD8hX8ZNyYm6X

Score
10/10
amadeydcrathealerredlinesectopratsmokeloader@ytlogsbotbrehapixelscloudbackdoorgoogledropperinfostealerpersistencephishingrattrojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

pixelscloud

C2

85.209.176.171:80

Extracted

Family

redline

Botnet

@ytlogsbot

C2

185.216.70.238:37515

Targets

    • Target

      28d3884e2ede32105da54c5050ac036ff19029689ffd6bedb21e7e92d2463e32

    • Size

      239KB

    • MD5

      73ed489323b6543701efdf6cd368c5e3

    • SHA1

      f923d94ca1aa8b24be16581ff7c55459078cf771

    • SHA256

      28d3884e2ede32105da54c5050ac036ff19029689ffd6bedb21e7e92d2463e32

    • SHA512

      cb18e57e7b991f2e20827427022663fd93d78e467cc5e958aed28ca5327c1501a21f662d36fa91b5536795106826103b6fde772d7743a47f3864c9f55e52d79e

    • SSDEEP

      6144:V7Vj3uVUn27+6qQx41QPF2nnugMeS2SpY:xwYfQx9FOnugMeS2

    Score
    10/10
    amadeydcrathealerredlinesectopratsmokeloader@ytlogsbotbrehapixelscloudbackdoorgoogledropperinfostealerpersistencephishingrattrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detected google phishing page

      phishinggoogle

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks