General
-
Target
bf3e907ed150c7a8c1046c550d09f9e6309db73ea4d2c7e5c83da928d0a19b54
-
Size
1.8MB
-
Sample
240602-cmfc6sfd3s
-
MD5
1df5d38d44d6821ba587a399daf9eb83
-
SHA1
6023e2791fb481828b320edfe8bb8a62075d9eb7
-
SHA256
bf3e907ed150c7a8c1046c550d09f9e6309db73ea4d2c7e5c83da928d0a19b54
-
SHA512
6f2094a2c19410d413bb424b78853395fee83154d281484cc46e317cdc9e8f41618d99fe1fa5ce0e0421b3ad270c3e30c56b8b1c831f365350ac6562147c4ced
-
SSDEEP
49152:XE31IJLLI3BtM9dH8IhswdVA6VSwS/eQwKovE:MIW3M9dH8CswdvVSwS4
Malware Config
Extracted
http://94.103.188.126/jerry/putty.zip
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
asyncrat
AsyncRAT
Fresh
pepecasas123.net:4608
AsyncMutex_5952
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
smokeloader
2022
http://dbfhns.in/tmp/index.php
http://guteyr.cc/tmp/index.php
http://greendag.ru/tmp/index.php
http://lobulraualov.in.net/tmp/index.php
Extracted
smokeloader
pub1
Targets
-
-
Target
bf3e907ed150c7a8c1046c550d09f9e6309db73ea4d2c7e5c83da928d0a19b54
-
Size
1.8MB
-
MD5
1df5d38d44d6821ba587a399daf9eb83
-
SHA1
6023e2791fb481828b320edfe8bb8a62075d9eb7
-
SHA256
bf3e907ed150c7a8c1046c550d09f9e6309db73ea4d2c7e5c83da928d0a19b54
-
SHA512
6f2094a2c19410d413bb424b78853395fee83154d281484cc46e317cdc9e8f41618d99fe1fa5ce0e0421b3ad270c3e30c56b8b1c831f365350ac6562147c4ced
-
SSDEEP
49152:XE31IJLLI3BtM9dH8IhswdVA6VSwS/eQwKovE:MIW3M9dH8CswdvVSwS4
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies firewall policy service
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Windows security bypass
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects executables (downlaoders) containing URLs to raw contents of a paste
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
-
Detects executables containing URLs to raw contents of a Github gist
-
Detects executables containing possible sandbox system UUIDs
-
Detects executables packed with or use KoiVM
-
Detects executables referencing many IR and analysis tools
-
Detects file containing reversed ASEP Autorun registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Installed Components in the registry
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops Chrome extension
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Event Triggered Execution
1Change Default File Association
1Browser Extensions
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Modify Registry
11Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Virtualization/Sandbox Evasion
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1