General
-
Target
956573562e7d7da152d58e554d8c605dae1566cfcdc6e091511f4fa54b50004b.zip
-
Size
1.5MB
-
Sample
240402-mpmkdafh22
-
MD5
468e09ac50a1c257d51bc2aff822251b
-
SHA1
7e1e72299218299935df96f4577a428e1a8b5411
-
SHA256
3aa40fcbdd2ffa77d93df88c3aec48f89f39cd95e8b7b7306c92716d98a97eb1
-
SHA512
ef316a313538bb5146a9bae5e382ca63c1ec519773f7efd2de474a623431cedc393c4f859fd47ac8283f156fd841778298bb14d6e5615f17f8800dc7536232dc
-
SSDEEP
49152:OjMzgsvOjtSfoPRtZiQ6G+/OFP8lV6CD23z+Ht4Ie:OsgsvqHpHi7G2OOD2ay9
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Targets
-
-
Target
956573562e7d7da152d58e554d8c605dae1566cfcdc6e091511f4fa54b50004b.exe
-
Size
1.6MB
-
MD5
bd8179166fc23c803f7d1303a940ae7e
-
SHA1
ba99075cc9eed7bc43f39078c0cf203e35e985d9
-
SHA256
956573562e7d7da152d58e554d8c605dae1566cfcdc6e091511f4fa54b50004b
-
SHA512
4f28e7f1b59bc8e1b4c2f71c04f33a216b18380e940c9d143069dd27f11337cffd1a3dc4fbc121ff529817c7bf75c5eafc28bf8a45d7316416c9518f46e5d702
-
SSDEEP
24576:BywW+SerRtTFjyw5/TRFu3J0G3alUAZSRsZ14PftEdKQqvtBpHcsNN2bs:0wYe3TFjywBRFuVIzSs4Pf8qvRcsNU
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1