Overview

overview

10

Static

static

1

VoicemodSe....0.exe

windows7-x64

10

VoicemodSe....0.exe

windows10-2004-x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VoicemodSetup_2.48.0.0.exe

  • Size

    112.2MB

  • Sample

    240313-ahhavsgh67

  • MD5

    91b98d97343351e879ef8304798864c0

  • SHA1

    fba2e0c8229165d7f0cc34930ea96a2430d30ee6

  • SHA256

    3671fd712335ef0d15e4d553edf19116f56d2ca18ede39d9d43536ce9e0bf2f4

  • SHA512

    2a9a855d6a955c4bce3f4c23644cdb5d4454cb6e38b83ed5a42c9cf058e48584b762586415014a919d5567544ce570d99771a2258ef20c230a230bfc46c13fa8

  • SSDEEP

    3145728:tYegNHiVdYZxPKyZ+DXfCJSQYBvvisu9koMvqSs:3gliV4z+bEzoviOv+

Score
10/10
amadeyicedidriseprostealc4165079571bankerevasionloaderpersistencestealertrojan

Malware Config

Extracted

Family

stealc

C2

http://193.143.1.226

Attributes
  • url_path

    /129edec4272dc2c8.php

Extracted

Family

icedid

Campaign

4165079571

C2

podiumstrtss.com

Extracted

Family

risepro

C2

193.233.132.62

193.233.132.62:50500

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • install_dir

    09fd851a4f

  • install_file

    explorha.exe

  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Targets

    • Target

      VoicemodSetup_2.48.0.0.exe

    • Size

      112.2MB

    • MD5

      91b98d97343351e879ef8304798864c0

    • SHA1

      fba2e0c8229165d7f0cc34930ea96a2430d30ee6

    • SHA256

      3671fd712335ef0d15e4d553edf19116f56d2ca18ede39d9d43536ce9e0bf2f4

    • SHA512

      2a9a855d6a955c4bce3f4c23644cdb5d4454cb6e38b83ed5a42c9cf058e48584b762586415014a919d5567544ce570d99771a2258ef20c230a230bfc46c13fa8

    • SSDEEP

      3145728:tYegNHiVdYZxPKyZ+DXfCJSQYBvvisu9koMvqSs:3gliV4z+bEzoviOv+

    Score
    10/10
    amadeyicedidriseprostealc4165079571bankerevasionloaderpersistencestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Creates new service(s)

      persistence

    • Stops running service(s)

      evasion

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies Windows Firewall

      evasion
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks