General

  • Target

    17ee93b40d1746f9d99cf8521a2ab566.bin

  • Size

    1.8MB

  • Sample

    240514-bdrt6sdc67

  • MD5

    37ebe519deea32b48f8cd5173c85dc6a

  • SHA1

    ee5a0d827b9f69453c9927ba4f73199107338f75

  • SHA256

    5a385c25beb70fc35b900bd712aeb9c5065004b5266ea6591c69c225e9bafae4

  • SHA512

    39de6168bab3df75e7bdc7c1c512ed07c87b86d34e0933ee12ce7136aaac0065bf13b946cbbcc3f233889fc00dcdb7cb051e0c13000eb9e7bc96a72c1117663e

  • SSDEEP

    49152:nC6nRluXTZuAN5BpPcR1flhcW4XE0ApY3+SRH7vw9qlA:DRluXlhN5Bpw2E0l+O72

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    taskmgr.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Targets

    • Target

      49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe

    • Size

      1.8MB

    • MD5

      17ee93b40d1746f9d99cf8521a2ab566

    • SHA1

      371e878e7c8ff19a0f8771aefef9aeb6e28c2b87

    • SHA256

      49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468

    • SHA512

      21f8f6cf4d58775e4498bb1bb86437c30494d633da800ef3427bce4d7e4877018752fb091eb4627ccb0d14bc9f45afd199c752fceb1f4202d2b9d94efc6d01a7

    • SSDEEP

      49152:8sQSR2lQIeqdglI171gF3r4W9q9wx//0WRwcm0:H9CQIe6gKmbZ9ywpD

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Xworm Payload

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks