Overview

overview

10

Static

static

3

fd3e5389b7...fc.exe

windows7-x64

5

fd3e5389b7...fc.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    fd3e5389b778bdbf2a185874ef792ace77a1ede6b2c758d662de8c43e70e9bfc

  • Size

    1.4MB

  • Sample

    231012-p3qkascg57

  • MD5

    52d53277159b5b3adc7ce386b9c78c0b

  • SHA1

    fc9cf0aed813493812103aaffe33c5de72ec4d6d

  • SHA256

    fd3e5389b778bdbf2a185874ef792ace77a1ede6b2c758d662de8c43e70e9bfc

  • SHA512

    b9adf829d8c5c888e9b25030169140cea705be190e2f580ac92d89e82c804f44d949183c2a066725733ddc0e882ae222f5f0509c7e67bf50e3ba7cf0d87ade59

  • SSDEEP

    24576:wwvSj9t6lif8NvmwKjMLu2wg1hb0sLP/8linHJQxl4oPGdU/WHoi3/Yf:5Sj9KGyvOiu2w8h7TwiHJQxl4oPGdUa8

Score
10/10
amadeygluptebahealerredlinesmokeloader@ytlogsbotbrehakukishpretsbackdoordropperevasioninfostealerloaderpersistencetrojanupx

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php
Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

prets

C2

77.91.124.82:19071

Attributes
  • auth_value

    44ee9617e145f5ca73d49c1a4a0c2e34

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

redline

Botnet

@ytlogsbot

C2

185.216.70.238:37515

Targets

    • Target

      fd3e5389b778bdbf2a185874ef792ace77a1ede6b2c758d662de8c43e70e9bfc

    • Size

      1.4MB

    • MD5

      52d53277159b5b3adc7ce386b9c78c0b

    • SHA1

      fc9cf0aed813493812103aaffe33c5de72ec4d6d

    • SHA256

      fd3e5389b778bdbf2a185874ef792ace77a1ede6b2c758d662de8c43e70e9bfc

    • SHA512

      b9adf829d8c5c888e9b25030169140cea705be190e2f580ac92d89e82c804f44d949183c2a066725733ddc0e882ae222f5f0509c7e67bf50e3ba7cf0d87ade59

    • SSDEEP

      24576:wwvSj9t6lif8NvmwKjMLu2wg1hb0sLP/8linHJQxl4oPGdU/WHoi3/Yf:5Sj9KGyvOiu2w8h7TwiHJQxl4oPGdUa8

    Score
    10/10
    amadeygluptebahealerredlinesmokeloader@ytlogsbotbrehakukishpretsbackdoordropperevasioninfostealerloaderpersistencetrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects Healer an antivirus disabler dropper

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks