Overview

overview

10

Static

static

3

2786807235...4b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27868072354dafeb97a7482abbd9ac8f31ef22ae8e2ed448ec36f602d822d54b.zip

  • Size

    1.5MB

  • Sample

    240402-ma9flafa94

  • MD5

    ffd7b601acdeda2fe4269bda36c37e86

  • SHA1

    78d57f51e3b7414e68a21f76fca50c51a7825209

  • SHA256

    47c874f760d9f80fed03c635eaa77778ae919e4a01c73c9daf4a6c436cd7863c

  • SHA512

    bb78333cf4671ae3fbb463df1368ce0d164603f9ab4112d4db8255ef949a7ce218f471659c1ba9381dc12cf6e71e607f0e766fea5245685b19567b6c2b59be9c

  • SSDEEP

    24576:FV6glcCC2WPOdY7lvKp/cKfqa9/T191GuV8bnYMT+/SeROLQOnFaDu2RHt6NBUkW:foVZWChKaKfqa9/T191Gz3i5OLQIFm1F

Score
10/10
amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

homed

C2

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      27868072354dafeb97a7482abbd9ac8f31ef22ae8e2ed448ec36f602d822d54b.exe

    • Size

      1.5MB

    • MD5

      69f0e28bec8c54582193e0fcba98eb02

    • SHA1

      d3b5429e2e893d5d396b34850db6837478d9e3d3

    • SHA256

      27868072354dafeb97a7482abbd9ac8f31ef22ae8e2ed448ec36f602d822d54b

    • SHA512

      34328811bea578e362fbe140de3ac8b52609f7086dee3a1cdf03baffe9af45d06c6324f18c4eaa5b09b986743fd7cebc75d0772dc6e4f1a1a5695d61f5e226df

    • SSDEEP

      24576:ny/pd+b6pubFWxEwxa863VmXVCzFmyXOl7WLrnmr0ZdRfsJ1nK5YzkRY:yhQXQCyD1CBJXOl8nkMUnK5YzE

    Score
    10/10
    amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks