Overview

overview

10

Static

static

10

0f2ec50da0...21.exe

windows7-x64

10

0f2ec50da0...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f2ec50da0186e99fb0bf47053b56921.exe

  • Size

    37KB

  • Sample

    231224-dppkasggd8

  • MD5

    0f2ec50da0186e99fb0bf47053b56921

  • SHA1

    765f74d96599e8970078d307808e49e8d694a98e

  • SHA256

    121b10b4f31da4ecba0a8745a31cb57300982e45310454e8232912ed2afc4248

  • SHA512

    ee80fe5bc05c811c9cd1e7af8c13bf3e8c93c322e6eade57e068ea3ee5d69e13d620a43380e60753823167ddf2a01a9019b2a7a324de93aec7f17abe097f3b1c

  • SSDEEP

    768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Score
10/10
amadeylummaredlinesmokeloaderzgrat666livetrafficbackdoordiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.13

C2

http://5.42.65.125

Attributes
  • install_dir

    0de90fc5c7

  • install_file

    Utsysc.exe

  • strings_key

    b34dd8f60e55add4645c4650cc7f7e7e

  • url_paths

    /k92lsA3dpb/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:22221

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

Extracted

Family

redline

Botnet

666

C2

195.20.16.103:18305

Targets

    • Target

      0f2ec50da0186e99fb0bf47053b56921.exe

    • Size

      37KB

    • MD5

      0f2ec50da0186e99fb0bf47053b56921

    • SHA1

      765f74d96599e8970078d307808e49e8d694a98e

    • SHA256

      121b10b4f31da4ecba0a8745a31cb57300982e45310454e8232912ed2afc4248

    • SHA512

      ee80fe5bc05c811c9cd1e7af8c13bf3e8c93c322e6eade57e068ea3ee5d69e13d620a43380e60753823167ddf2a01a9019b2a7a324de93aec7f17abe097f3b1c

    • SSDEEP

      768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

    Score
    10/10
    amadeylummaredlinesmokeloaderzgratlivetrafficbackdoordiscoveryinfostealerratspywarestealertrojan666

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Lumma Stealer payload V4

    • Detect ZGRat V1

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks