General
-
Target
ea3081b6dd31197675f5d03c9853c2a8dd51868ac0bf7956cba0cfe1f7e8ae45.zip
-
Size
1.5MB
-
Sample
231119-zjznzacc51
-
MD5
181d04ea44e7425b65b31f736eb2d79e
-
SHA1
4be18a3039d756305a36c3d6a386d62f1cd619fe
-
SHA256
bfbdf74c1bb47b02b76f151fa556d8288bb0af32ab04b67a1d541dba08d49ee3
-
SHA512
f96a09fc5e1aa07ecd55322c518fd7cbb752bdb4d62561aa9d72c83e70f9a2d3385409f8681d855b47e453a79c1da0bc269f0d0006ed281d8197700096a1a256
-
SSDEEP
49152:L1Pyytdnc3X7ZrTz8XTAOfgEN6DqNepOiNjtkrko9:L8MncH1rTTOlUztYko9
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Targets
-
-
Target
ea3081b6dd31197675f5d03c9853c2a8dd51868ac0bf7956cba0cfe1f7e8ae45.exe
-
Size
1.5MB
-
MD5
4876370b4aa7cc5c03cbfc21da0d5c3b
-
SHA1
4cf8de2830dc960f37ba0dd0e8d50d6be0c90206
-
SHA256
ea3081b6dd31197675f5d03c9853c2a8dd51868ac0bf7956cba0cfe1f7e8ae45
-
SHA512
e9fe38309061dbd5ea49ae9f7337738074c7caa3db6163bba27a18c6cf7d071015383ccd6578792018c48fd9e25ef9a883341cf3db725bc42cd5fc50ec96552f
-
SSDEEP
24576:Myqv6Mq+w7oXYLxxccNUwCHCYqd+Rl0VxQW2Se7/+zCD13Y1:7qvPq+yJXUfjD0VD2SK/+zCD13
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Detected potential entity reuse from brand paypal.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1