General
-
Target
d4e8f31ad259c82a2351021863fe430f984e1429522d5357f8de18d2d43b8e6a
-
Size
914KB
-
Sample
231025-z7ghasfh45
-
MD5
cb051e007c63c4c3e420b0c62b8aec2c
-
SHA1
bc227d3e4b909dccde703b2faaf3e64e35aa8010
-
SHA256
d4e8f31ad259c82a2351021863fe430f984e1429522d5357f8de18d2d43b8e6a
-
SHA512
d81b37f6aff6a07fdae7e6682e3c01c2e4ec49ee869a788cb0c5e2245f402ee6e0da0c3c898c9a31b8762099303fff916b13e619e20735bd89e99baed8a50161
-
SSDEEP
12288:cgGboZW829AM9cpSOkCmuIvU4oEEICB4SFfCp1uZfrk61Awc/9qYLxR:cgu829AocpSOkb/oP9xSMi5Fq
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
89.23.100.93:4449
oonrejgwedvxwse
-
delay
1
-
install
true
-
install_file
calc.exe
-
install_folder
%AppData%
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Targets
-
-
Target
d4e8f31ad259c82a2351021863fe430f984e1429522d5357f8de18d2d43b8e6a
-
Size
914KB
-
MD5
cb051e007c63c4c3e420b0c62b8aec2c
-
SHA1
bc227d3e4b909dccde703b2faaf3e64e35aa8010
-
SHA256
d4e8f31ad259c82a2351021863fe430f984e1429522d5357f8de18d2d43b8e6a
-
SHA512
d81b37f6aff6a07fdae7e6682e3c01c2e4ec49ee869a788cb0c5e2245f402ee6e0da0c3c898c9a31b8762099303fff916b13e619e20735bd89e99baed8a50161
-
SSDEEP
12288:cgGboZW829AM9cpSOkCmuIvU4oEEICB4SFfCp1uZfrk61Awc/9qYLxR:cgu829AocpSOkb/oP9xSMi5Fq
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect ZGRat V1
-
Detect rhadamanthys stealer shellcode
-
Detected google phishing page
-
Modifies Windows Defender Real-time Protection settings
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
4