Overview

overview

10

Static

static

3

867c253ac1...af.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    4331f8b07a24207f798deff126286e79.bin

  • Size

    1.5MB

  • Sample

    231101-bp8l3age5z

  • MD5

    2988bebfeb26af6cdd48a19d2be20d7c

  • SHA1

    cfe12310c124bac7c6873a735b146633cebcfb20

  • SHA256

    ec7a42b168352b5a51a1513a8bd22e83cbbc1598d63ac185bfa7ed6c86393bc0

  • SHA512

    d86191d8dd96c26064486c1e7cb959ead5c43abd74b0c2275317a49093b18b2258d22c960b3dc35eaee8a4901f0f109b16bb3f0d4b2868a71028e0ad40f21e22

  • SSDEEP

    24576:emJvMHK51N3N34Qc1tCoe020I+6vKRe62a+sMXufmMYL349n5UCajuP6HluyoC9G:UK51zIQSBR2e6v8e0+/X8pbn5UnuPewl

Score
10/10
amadeyredlinesectopratsmokeloaderzgratgromekinzapixelnewbackdoorevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew

C2

194.49.94.11:80

Targets

    • Target

      867c253ac114084e2cda6b03f8820b7179091603fd4b7415b67437ece98c01af.exe

    • Size

      1.5MB

    • MD5

      4331f8b07a24207f798deff126286e79

    • SHA1

      0abdb522f82f4698b3bf76235b62d4998a351af5

    • SHA256

      867c253ac114084e2cda6b03f8820b7179091603fd4b7415b67437ece98c01af

    • SHA512

      213437a9b68bfa138a564439d06b3a79a16153f1476645f9f27f47e1f6fab6c15cb93a36651f6b576723c0646720e85ae55c414e853a47d4aa47c28546926b1d

    • SSDEEP

      49152:MzwcGYuKVOFNOTmr/J7BHBG41Jtfg/YtCnhgD:kSOq7J7BHBG41zcQBD

    Score
    10/10
    amadeyredlinesectopratsmokeloaderzgratgromekinzapixelnewbackdoorevasioninfostealerpersistencerattrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect ZGRat V1

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks