Overview

overview

10

Static

static

10

7eda5dba70...71.exe

windows7-x64

10

7eda5dba70...71.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7eda5dba702f83ca43a8201d9d77e7d4d3efe45bcb44466c484401d17c81a671

  • Size

    103KB

  • Sample

    231011-rkp7xsce4z

  • MD5

    fb8282d6f9e60ed4bab86295a7189ae7

  • SHA1

    365dd1f6ce885e8db986f0d66cc294f0fc9cd642

  • SHA256

    552b825b95da1394cf84ce6cc5c7d8db92165c6c6bd96c8f05269d60b35e0f6e

  • SHA512

    3435207c375d358e3eb530c6b5b6737824f07b88165faf2bcab5d0e4e502ef2c82ccb5db8d5b212d0d29784df4015e83eb7e4bfb9b3db661acbd3604602df993

  • SSDEEP

    3072:YLTzrHEDjomznpCacXyS+ZLRyy4c1m6J/N:YLXmD8hX8ZNyCm6xN

Score
10/10
amadeyhealerredlinesmokeloaderbrehabackdoordropperinfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

    • Target

      7eda5dba702f83ca43a8201d9d77e7d4d3efe45bcb44466c484401d17c81a671

    • Size

      239KB

    • MD5

      5e68964ac8629a36bd6cce50fc694e6d

    • SHA1

      069596b4aa701c38beeea6c8e6666feed87fb171

    • SHA256

      7eda5dba702f83ca43a8201d9d77e7d4d3efe45bcb44466c484401d17c81a671

    • SHA512

      042a2b89162c13305f4ecbefa1eb99af629dc41db01a0babc8d022a63271887df3b2a3aea126c083d201e282b6492605d99c57c31ddb8b20684316c01ee9117c

    • SSDEEP

      6144:V7Vj3uVUn27+6qQx41QPF2nnugMeS2SpY:xwYfQx9FOnugMeS2

    Score
    10/10
    amadeyhealerredlinesmokeloaderbrehabackdoordropperinfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks