Overview

overview

10

Static

static

3

9c5bf3d9ee...78.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9c5bf3d9eed2217c4da66fc4ecc7dfa9c79a0bf6cbbcdbef9f28ad3518879e78.zip

  • Size

    1.5MB

  • Sample

    240402-mbfvnsef4s

  • MD5

    65c68e26a066ad9e8beb50eb5452c5d3

  • SHA1

    b9f5d4506cbe348738d0bcacc7ec4a15d5db388b

  • SHA256

    c21a7557fc706bfe5ad231031f1ce0432104518e8c2bcab09554c71939ac695e

  • SHA512

    16562817754ce148336b30f39be6863b429db747f8fe81c83707e37b6961c1dfe99c5e38a9b23381e8889f1243e634ae2b8365c52997bcee2f844508705825d9

  • SSDEEP

    24576:FYyPRzhcuttiwSsu0YX9AJSVR5fRQqBhDsCXWRry2N1eEizb0EVwxYrIF:m+26FYX9AKRtpjmgEqzixh

Score
10/10
amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

homed

C2

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Targets

    • Target

      9c5bf3d9eed2217c4da66fc4ecc7dfa9c79a0bf6cbbcdbef9f28ad3518879e78.exe

    • Size

      1.5MB

    • MD5

      2b8bd5b5849508f465f4eabfdd3ee1a9

    • SHA1

      a0c8fd78227b07a8a6ca7d6bb2422e7a218d25f2

    • SHA256

      9c5bf3d9eed2217c4da66fc4ecc7dfa9c79a0bf6cbbcdbef9f28ad3518879e78

    • SHA512

      bfe809557c6511ee866422bb1dd7b54716bf77fbf5516b09b0fe8cb534b7b656598a3d5dbee86634c1d8698db0e326a9eced99313408e79c1a569bcac701490f

    • SSDEEP

      49152:mvnZSzCFDAUxx+ddFfU+hxOXd2wBzLBi:onsme1drThx9wBzLc

    Score
    10/10
    amadeydcratmysticredlinesmokeloaderhomedbackdoorevasioninfostealerpersistenceratstealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks