Overview

overview

10

Static

static

3

1a648c4a8d...7f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1a648c4a8df863ea0ffdd17c5f4a07250f4f40cca5e7f9a628266acd8d08817f.zip

  • Size

    1.5MB

  • Sample

    240402-ma7xrsef2y

  • MD5

    e67b1cbae8d6f5b1505f564bc3565e1e

  • SHA1

    d12e6060e60c5d06367bda061dd3b87da9d47cf2

  • SHA256

    e1d8019c30ec865fc3526403a92cdc3dfbdb8f115ed03476e89a12fa49cfe3f2

  • SHA512

    34f9e471e4527123ca0e1fcde7a2ae7115980fed93e93781bc6197a1b87d1af474fbf1c24d31c93b1bb706602b9d3c7c7ddf8c13f853ba54e6283462456e862d

  • SSDEEP

    24576:8zsNKamjj9w8chiM5VyK3uxceH0HQ+yi7ZUkuk/8xKCuZ2QIFtP/9qb0F5WwQ7cY:8YNKHjBUhfy6e9+ymZuestHPcc29

Score
10/10
amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

homed

C2

109.107.182.133:19084

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      1a648c4a8df863ea0ffdd17c5f4a07250f4f40cca5e7f9a628266acd8d08817f.exe

    • Size

      1.5MB

    • MD5

      c8ee3a6885f27af7f2c2e918f8d2baed

    • SHA1

      c5acd6bdebd71ee1443004939c359d67d7cf8f1a

    • SHA256

      1a648c4a8df863ea0ffdd17c5f4a07250f4f40cca5e7f9a628266acd8d08817f

    • SHA512

      653cc58976788d0639c1abd4bf6dc83662a73997d2e5727596b9ce80ec9ffa2706dce9d43106cca058c1dc1deffe875705bdf2b2cdeb1e2e677932dc9e17ea19

    • SSDEEP

      24576:/ylfzZWAQ0dXIEieHexkOuiY7HpAO19j5HmTjPQLE9p:Kl8AfX7Z+7ur7pr1v0jPQu

    Score
    10/10
    amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks