General
-
Target
ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.zip
-
Size
1.5MB
-
Sample
240402-qe4bxsah4y
-
MD5
b71d4c064311ef81cfc5291eafe2c841
-
SHA1
6a27033103d297c6252436c03e4909a4675b4f02
-
SHA256
b3767abd0edf10f66b81b14d4b2410893837b8c25815d961c17b713ec10560ce
-
SHA512
bc1c38c2651216159677efb56b68bf261436e7737e07f4155fdbeeaf45084f93d5aa74b4250f6d053f3e9f05b82a5ed1fbafe776d6dca4fa761fede0d4e8777a
-
SSDEEP
49152:sYwOYwh+wQ5quizBugrNI9cGDtM+FDMqw1WIQ:sTOYqRP8g69c8MuDOfQ
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Targets
-
-
Target
ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3.exe
-
Size
1.6MB
-
MD5
ade10cbc533c8399aa2996b16c3484ca
-
SHA1
f90a827c38ce6c1269a6ce7e83d2dab2b56a5cab
-
SHA256
ded6c5d03ad40925fefd165af80098800e966d9abc9010f7314ac628a20b0ae3
-
SHA512
6c15ecfaf6080927b299a605f68d6725d49663eec6d9d57b35fa0d150b75bb3ca523bd4932f119f84966983a01a7ebb29f82d52724f5e66729f6f0247044335e
-
SSDEEP
24576:4yhAsIvxrRj9Wbijl2cDJNc09Y26NvILBCG/hFGYQImW3d5ewxHoOwJcf9k:/OV/nLjpLLq3W3iON1
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload
-
Modifies Windows Defender Real-time Protection settings
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1