General

  • Target

    5c1e965d21ddfb6972824827a6ad3ed5

  • Size

    790KB

  • Sample

    240126-gy7c9affg2

  • MD5

    5c1e965d21ddfb6972824827a6ad3ed5

  • SHA1

    3267ccd4de8c23ab99433235d5529937409162e7

  • SHA256

    82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f

  • SHA512

    2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0

  • SSDEEP

    12288:iwx2ZDHcnIo7YNQYBeW8/LViyIakQz15bbPnK2I4uGxZbmqMrUAPJHj0gr:iwx4DHcnJwQpiyIakELT5ZbmNrUuj0

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes
  • install_dir

    d887ceb89d

  • install_file

    explorhe.exe

  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

C2

195.20.16.103:20440

Extracted

Family

risepro

C2

193.233.132.62:50500

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

C2

141.95.211.148:46011

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

redline

Botnet

@PixelsCloud

C2

94.156.67.230:13781

Extracted

Family

amadey

C2

http://185.215.113.68

Attributes
  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Targets

    • Target

      5c1e965d21ddfb6972824827a6ad3ed5

    • Size

      790KB

    • MD5

      5c1e965d21ddfb6972824827a6ad3ed5

    • SHA1

      3267ccd4de8c23ab99433235d5529937409162e7

    • SHA256

      82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f

    • SHA512

      2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0

    • SSDEEP

      12288:iwx2ZDHcnIo7YNQYBeW8/LViyIakQz15bbPnK2I4uGxZbmqMrUAPJHj0gr:iwx4DHcnJwQpiyIakELT5ZbmNrUuj0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect ZGRat V1

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

File and Directory Permissions Modification

1
T1222

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks