Overview

overview

10

Static

static

3

6d82e3c5ac...bd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d82e3c5ac60406d1c6a513d7ba1080c77adb32ca3d6b2473e0b6ff76b4818bd.zip

  • Size

    1.7MB

  • Sample

    240402-mbc4safb26

  • MD5

    664136837152adc0da9f2808b70330ab

  • SHA1

    4539e3ce7e0de208dd4f62da1b3908d3d823cb2d

  • SHA256

    9529d17824dfb901a40ce7e2bde05e3d78e0203b277289d397fb26370ed6a15f

  • SHA512

    8ec93caa83c4dcfc94b2a756efa27db6b4c36616a1c9546fc7409f5c474b43009bf5b3a2852f31ed4740a6d9e90da60ea25a79254b78e19b8417dd4f6c5e02c5

  • SSDEEP

    49152:SgND+aTkq/ifLJVEnmohISyGv6QnHyKcxLNByasfULS:SgpGcuSnmojyNQ7iNqAS

Score
10/10
amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

homed

C2

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      6d82e3c5ac60406d1c6a513d7ba1080c77adb32ca3d6b2473e0b6ff76b4818bd.exe

    • Size

      1.8MB

    • MD5

      41a7fe217d400d78ec38420cfb3875ee

    • SHA1

      5cae6714e0cc19819e0c70459a3c25968ec554ff

    • SHA256

      6d82e3c5ac60406d1c6a513d7ba1080c77adb32ca3d6b2473e0b6ff76b4818bd

    • SHA512

      f602730c3f65b415f06cf67aba5df031deaf8740bad21b4f84ea0e3573ee4d537fb3fdb66491659d2433c4606665e7f7124f12a260356dbe52397be170da93bd

    • SSDEEP

      49152:K+0fsuP1/cLYWp/pS3A9YrkbhSsK2J//1:dHuq5/9Yr4hSBi

    Score
    10/10
    amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks