Overview

overview

10

Static

static

3

0e7c3afcce...11.exe

windows7-x64

10

0e7c3afcce...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0e7c3afcce5e1afbdcc07e76fcac2411.exe

  • Size

    1.9MB

  • Sample

    240104-1c14wscge6

  • MD5

    0e7c3afcce5e1afbdcc07e76fcac2411

  • SHA1

    699038b57cb6442818325a8138fa83d0e05ea4ef

  • SHA256

    3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a

  • SHA512

    1005a9a3ae2b6902d74208f2cb58e11b71feb32d7a048961027e3b2b30b51a9cfcf9dfc74139070787a0203bdab5b5f6f6814a8df396e4e6c23b220740ec54ed

  • SSDEEP

    49152:Bm0qroo2q2hNg2kSoeu+JL5wRHD5pasPskF:Y0joWjg2k6GtmmskF

Score
10/10
amadeyredlinezgrat@pixelivelegaalivetraficgoogleevasioninfostealerpersistencephishingrattrojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes
  • install_dir

    d887ceb89d

  • install_file

    explorhe.exe

  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

amadey

C2

http://185.215.113.68

Attributes
  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTrafic

C2

20.79.30.95:13856

Extracted

Family

redline

Botnet

@Pixelive

C2

195.20.16.103:20440

Extracted

Family

redline

Botnet

Legaa

C2

185.172.128.33:38294

Targets

    • Target

      0e7c3afcce5e1afbdcc07e76fcac2411.exe

    • Size

      1.9MB

    • MD5

      0e7c3afcce5e1afbdcc07e76fcac2411

    • SHA1

      699038b57cb6442818325a8138fa83d0e05ea4ef

    • SHA256

      3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a

    • SHA512

      1005a9a3ae2b6902d74208f2cb58e11b71feb32d7a048961027e3b2b30b51a9cfcf9dfc74139070787a0203bdab5b5f6f6814a8df396e4e6c23b220740ec54ed

    • SSDEEP

      49152:Bm0qroo2q2hNg2kSoeu+JL5wRHD5pasPskF:Y0joWjg2k6GtmmskF

    Score
    10/10
    amadeygoogleevasionpersistencephishingtrojanredlinezgrat@pixelivelegaalivetraficinfostealerrat

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect ZGRat V1

    • Detected google phishing page

      phishinggoogle

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks