Overview

overview

10

Static

static

10

2fcad026da...2e.exe

windows7-x64

10

2fcad026da...2e.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    b4bb298686ce7a113d33cb8662c15da5.bin

  • Size

    27KB

  • Sample

    231224-dj9chsgfd3

  • MD5

    845a277226d415e871155f146cc347f2

  • SHA1

    01d7ae78d790aefcc80271b0122ce861c7dcce0e

  • SHA256

    a13b6ebf88f3d9b8c414b00efbdb050a3bc3160341fdd18e1caf522506b2bf7c

  • SHA512

    3c28dfecdee8768ec5e3636a424ac31bb4457d2da41e40e8d65a0486a8cc382ed34b4ccdeb68e65fe25cc961024f91a63b8c0bbb5144a4417e8408394102d154

  • SSDEEP

    384:A3s6Ggx12G8M8VvK2T6rGxD9vdWOxOdi5NC5mQQfWBXtmpNnFGr59eG7g:hgWGR23JY+Wi5NzfWBXuFGrXn7g

Score
10/10
amadeylummaredlinesmokeloaderzgrat666livetrafficpixlivebackdoordiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.13

C2

http://5.42.65.125

Attributes
  • install_dir

    0de90fc5c7

  • install_file

    Utsysc.exe

  • strings_key

    b34dd8f60e55add4645c4650cc7f7e7e

  • url_paths

    /k92lsA3dpb/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:22221

Extracted

Family

redline

Botnet

PixLive

C2

46.17.103.81:5893

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

Extracted

Family

redline

Botnet

666

C2

195.20.16.103:18305

Targets

    • Target

      2fcad026daee519395baf02393e21f412d2f08ebec612d4fe25a5b8c3a64792e.exe

    • Size

      36KB

    • MD5

      b4bb298686ce7a113d33cb8662c15da5

    • SHA1

      092547b22bfbc4be4e0b7f8ef1256bdf5d9eebcc

    • SHA256

      2fcad026daee519395baf02393e21f412d2f08ebec612d4fe25a5b8c3a64792e

    • SHA512

      58ff26b8b230aee1d1e3aadebc7827f953c52219cd73d054d7e72daaefce9a7ec01538958d71f4d1de2548be95d3cfdee411e424f5022eb065b22eb125fac873

    • SSDEEP

      768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

    Score
    10/10
    amadeylummaredlinesmokeloaderzgratlivetrafficpixlivebackdoordiscoveryinfostealerratspywarestealertrojan666

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Lumma Stealer payload V4

    • Detect ZGRat V1

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks