General
-
Target
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203
-
Size
1.8MB
-
Sample
240507-2fewhabe6w
-
MD5
f5a33e2c9e2f68449a07778cc2edf846
-
SHA1
9b1c77c93fdf834a281da35fb3d5060d6de64de6
-
SHA256
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203
-
SHA512
cacf32b567797196a636d17ab2457cbe1bbd25f339cef8bd46848abba8d0e60ebbb5937d378a3300c8c0f242743489ceb1909039ebcf9670cabaecf08afdb12e
-
SSDEEP
49152:kcvZBay16INgG3P2GHYTAIEj6G3KdbeuBJI4:ki1tC3KX66cR/I
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ii.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
2727koji
Extracted
Protocol: smtp- Host:
hcmp.co.kr - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
techpilelko.in - Port:
587 - Username:
[email protected] - Password:
mashish@760
Extracted
Protocol: smtp- Host:
smtp.cmhteknoloji.com.tr - Port:
587 - Username:
[email protected] - Password:
He7Sm8YO
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
ne10011
Extracted
Protocol: smtp- Host:
smtp.ad.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
tk1973
Extracted
Protocol: smtp- Host:
smtp.am.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
waki0905
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
Duck4887
Extracted
Protocol: smtp- Host:
mail.pembery.co.uk - Port:
587 - Username:
[email protected] - Password:
19111937A%5*
Extracted
Protocol: smtp- Host:
smtp.microlins.com.br - Port:
587 - Username:
[email protected] - Password:
fin.manhumirim
Extracted
Protocol: smtp- Host:
mail.guiri.co.uk - Port:
587 - Username:
[email protected] - Password:
v413nc14cf
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
putter
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
bb1999
Extracted
Protocol: smtp- Host:
smtp.ac.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
87124439
Extracted
Protocol: smtp- Host:
smtp.uu.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
aw0101
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
ASAP000
Extracted
Protocol: smtp- Host:
smtp.uu.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
bokuking
Extracted
Protocol: smtp- Host:
smtp.ak.em-net.ne.jp - Port:
587 - Username:
[email protected] - Password:
banana
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
maggie981
Extracted
Protocol: smtp- Host:
smtp.netzero.net - Port:
587 - Username:
[email protected] - Password:
tobias248
Extracted
Protocol: smtp- Host:
mail.nildram.co.uk - Port:
587 - Username:
[email protected] - Password:
kingdom
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
systembc
67.211.218.147:4001
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://49.13.229.86
-
url_path
/c73eed764cc59dcb.php
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
amadey
4.12
http://185.172.128.19
-
install_dir
cd1f156d67
-
install_file
Utsysc.exe
-
strings_key
0dd3e5ee91b367c60c9e575983554b30
-
url_paths
/ghsdh39s/index.php
Extracted
redline
newpub
185.215.113.67:26260
Targets
-
-
Target
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203
-
Size
1.8MB
-
MD5
f5a33e2c9e2f68449a07778cc2edf846
-
SHA1
9b1c77c93fdf834a281da35fb3d5060d6de64de6
-
SHA256
2219fa1e23dac10134da6a6be9d6634a250dc2fc4cfdac1ad48d6e41c9406203
-
SHA512
cacf32b567797196a636d17ab2457cbe1bbd25f339cef8bd46848abba8d0e60ebbb5937d378a3300c8c0f242743489ceb1909039ebcf9670cabaecf08afdb12e
-
SSDEEP
49152:kcvZBay16INgG3P2GHYTAIEj6G3KdbeuBJI4:ki1tC3KX66cR/I
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Stealc
Stealc is an infostealer written in C++.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1