Overview

overview

10

Static

static

10

Small Malw...un.exe

windows10-2004-x64

10

Small Malw...ld.exe

windows10-2004-x64

5

Small Malw...it.exe

windows10-2004-x64

10

Small Malw...23.exe

windows10-2004-x64

10

Small Malw...pd.exe

windows10-2004-x64

10

Small Malw...23.exe

windows10-2004-x64

5

Small Malw...c4.exe

windows10-2004-x64

10

Small Malw...a2.exe

windows10-2004-x64

10

Small Malw...wd.exe

windows10-2004-x64

10

Small Malw...ac.exe

windows10-2004-x64

7

Small Malw...64.exe

windows10-2004-x64

8

Small Malw...ng.exe

windows10-2004-x64

10

Small Malw...tu.exe

windows10-2004-x64

10

Small Malw...ux.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Small Malwares.zip

  • Size

    38.6MB

  • Sample

    240604-16newsdc7w

  • MD5

    a675affcfb7c264fe4302ddd09248ccc

  • SHA1

    321c4c6117b45dabb2206a271a0b1be38b8beaef

  • SHA256

    29a1b2044662e0dd7f3059854ed7d49d2511eca878ecf4aad8664292e62dd2d5

  • SHA512

    0d716ed401ac776513ac0cb0e4c3f90f5e5882fe1694bf03781aaeb1acae527f2c0e7bf70a238467cf538d95acfd3116cc513517d7a7782bebdd43109f53c8d3

  • SSDEEP

    786432:XU+kVpVIpxapXoNY9rVZaHn9JW/3ue16vnQmZW7b:RerIDdVHn9wue14QmZWb

Score
10/10
amadeyexelastealerprivateloaderredlineriseprosystembc0e67409a3efc@logscloudyt_bote76b71newbildbootkitdiscoveryevasionexecutioninfostealerloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

newbild

C2

185.215.113.67:40960

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

C2

http://check-ftp.ru

Attributes
  • install_dir

    b9695770f1

  • install_file

    Dctooux.exe

  • strings_key

    1d3a0f2941c4060dba7f23a378474944

  • url_paths

    /forum/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes
  • install_dir

    8254624243

  • install_file

    axplong.exe

  • strings_key

    90049e51fabf09df0d6748e0b271922e

  • url_paths

    /Kiru9gu/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

C2

185.172.128.33:8970

Extracted

Family

risepro

C2

147.45.47.126:58709

Targets

    • Target

      Small Malwares/1000002001/file300un.exe

    • Size

      381KB

    • MD5

      7b45848e20860513ef26eda7e13b0f1b

    • SHA1

      a185781f7c61f9f3306e207d1711fce4643074be

    • SHA256

      e2d2ea45cb38516498c31eb31b51508cadfe496d6517839ad2b7080973271624

    • SHA512

      237fefa9f658dbf912e0777dd2de0ee37d1e8a88d3de0efb03bd63037a3812bee81ed61f46426bc0348f301485068eff94aa91c2283b2d580d10cccd08cdf8bd

    • SSDEEP

      6144:rPlCBTtcDLxjD5lbKI42mZtgfW3aLxtzGyyHDF6vBrzAJ2dPjdL/Nbjl4G:rUBTGBPKGexUtzOFyzAJaH4G

    Score
    10/10
    amadeyprivateloader9a3efcbootkitevasionexecutionloaderpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      Small Malwares/1000004001/gold.exe

    • Size

      1.2MB

    • MD5

      0b7e08a8268a6d413a322ff62d389bf9

    • SHA1

      e04b849cc01779fe256744ad31562aca833a82c1

    • SHA256

      d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

    • SHA512

      3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

    • SSDEEP

      24576:i3KN/uUnwZcPggVmmNp7c/8B2LF8jfjiKriA4BthZ:i3KDwZqggVmmH7F258jfjiKr/4BB

    Score
    5/10

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      Small Malwares/1000005001/judit.exe

    • Size

      10.7MB

    • MD5

      c09ff1273b09cb1f9c7698ed147bf22e

    • SHA1

      5634aec5671c4fd565694aa12cd3bf11758675d2

    • SHA256

      bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

    • SHA512

      e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

    • SSDEEP

      196608:JYPBUPXmkw/NHIAj3DxH9pIKwp4+WY6Z0sU+FNuQ4zOZ+1ak3Yzb5:JYpe25NHIAj3D1rf+WYwUaMrz5aP/

    Score
    10/10
    exelastealerevasionspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

    • Target

      Small Malwares/1000007001/redline123123.exe

    • Size

      297KB

    • MD5

      0efd5136528869a8ea1a37c5059d706e

    • SHA1

      3593bec29dbfd333a5a3a4ad2485a94982bbf713

    • SHA256

      7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

    • SHA512

      4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

    • SSDEEP

      3072:0qFFrqwIOGTNyHESF9D4L/aFWdE4A6CbAhdZsRTZRqHIccZqf7D34leqiOLCbBOR:fBIOG6a/aEd6RTZwBcZqf7DIvL

    Score
    10/10
    redlinenewbilddiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral4

    • Target

      Small Malwares/1000008001/upd.exe

    • Size

      1.7MB

    • MD5

      e8a7d0c6dedce0d4a403908a29273d43

    • SHA1

      8289c35dabaee32f61c74de6a4e8308dc98eb075

    • SHA256

      672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a

    • SHA512

      c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770

    • SSDEEP

      24576:uVKlwZW7rdhSklldluAi8XBBv3b1bNtFPEh8OyPe+ZkGRACQX48n9pJSQ2KxLqYV:LlwZEDSWercBvB7xEdr2dRqucwcr

    Score
    10/10
    redline@logscloudyt_botdiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      Small Malwares/1000009001/lumma123.exe

    • Size

      499KB

    • MD5

      5161d6c2af56a358e4d00d3d50b3cafb

    • SHA1

      0c506ae0b84539524ba32551f2f297340692c72a

    • SHA256

      7aa5344aab15b3fb2355c59e09b7071a6a0a12ec1a5828367ecb7e9f926fe765

    • SHA512

      c981aafb0e901838b1ccacda32f9b026995d5fd8cbed6590f2b3dd1178a2751065194a872c22cf24475eaf963c464916e33dd0fc620723d79b7f25d0e5041441

    • SSDEEP

      12288:RlY3R4zdWR5YkPebLhYWT3+Kw6RDubFagn8H4:Rleqz3kW1KKlRsw

    Score
    5/10

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      Small Malwares/1000011002/3a45e77bc4.exe

    • Size

      1.8MB

    • MD5

      a7221b372210af6bea61be50186a3860

    • SHA1

      3aa73526e25e9ade86cc74d820bd656e34c8c850

    • SHA256

      c8f039706b71366f54bb879a8b9a01745dab0511c11d91bef773c2dddc216881

    • SHA512

      939671a3336e29460244a3593a3a0e6925625207ec46fe31ac5864bbf28ceba0a9741e616d25a8625742f442f14dd351ecbe8610d62281e47d3c1d27a4e111f1

    • SSDEEP

      49152:QsbBUcmzPnap2/GlHv0gm25LIXaRmySHyMW:QsVft26HvdTUXaRm3SM

    Score
    10/10
    amadeye76b71evasiontrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7

    • Target

      Small Malwares/1000012001/c9f61fb9a2.exe

    • Size

      2.3MB

    • MD5

      c0687b9025b5f2316b182735cf61d516

    • SHA1

      a7b222c94e1651dc8f79238e5d362eb737638740

    • SHA256

      8acf6db9eef95b0bc94a7b407c1c06b63f7552dac689051262670a36bc3b24bf

    • SHA512

      14fde1477efc9bbb240b9b1a0ffffc70d63798712c3d9385a3925b449f53aaac8095769ec9918fedc96c7bd0ee9e5b0f694f44553394773a0e6629f3085779e2

    • SSDEEP

      49152:lBOBHjNclHBRwMsJNnQ5rZKiP56uQRTGcA/estFx1UOWB3fN64/0ndhNX:KdJiHBQvn2Zzw2vPWB3fN7czN

    Score
    10/10
    riseproevasionstealer

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral8

    • Target

      Small Malwares/1000012001/lrthijawd.exe

    • Size

      898KB

    • MD5

      1b1ecd323162c054864b63ada693cd71

    • SHA1

      333a67545a5d1aad4d73a3501f7152b4529b6b3e

    • SHA256

      902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

    • SHA512

      f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71

    • SSDEEP

      24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl

    Score
    10/10
    systembctrojan

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral9

    • Target

      Small Malwares/1000013001/8f8936a9ac.exe

    • Size

      1.1MB

    • MD5

      0de37e7a20ce5696d649752dcaaaab09

    • SHA1

      e6fd5e7adadbef55f5a1db449e728660e43e3353

    • SHA256

      688ddaf6044eb7a587a796211a5e418c0aebef35a91f5d4d2b54674bfa5ed40e

    • SHA512

      5fe2e34271c78a754092785a2f5f8fdd7572029829d9ac0a5092778e3ed2c795f04adc4ce2b3b94023749abb5a16fb50d1a40758f724d123b2f8cde9ce7f59d1

    • SSDEEP

      24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8au52+b+HdiJUu:0TvC/MTQYxsWR7au52+b+HoJU

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral10

    • Target

      Small Malwares/1000014001/services64.exe

    • Size

      16.9MB

    • MD5

      c8a50a6f1f73df72de866f6131346e69

    • SHA1

      37d99d5a8254cead586931f8b0c9b4cf031e0b4d

    • SHA256

      59e6a5009ce5e9547078db7f964bb8fc10ee999dd35b7e9243f119db8337aa8d

    • SHA512

      9f9230c58ddb8f029421a494220023253d725105ac2575d4ecd818c139dfaf77c7d559c58b66d764d78f3ffa19296f05af6a5d02f795b22512e6979671f2d745

    • SSDEEP

      393216:VqXwsD/P9ME9hCb4B6+SY34VAw+56VbaK5P5jH7s:VqX/DDb24xt4VF46V+Kp5T7

    Score
    8/10
    evasionexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      Small Malwares/8254624243/axplong.exe

    • Size

      1.8MB

    • MD5

      a7221b372210af6bea61be50186a3860

    • SHA1

      3aa73526e25e9ade86cc74d820bd656e34c8c850

    • SHA256

      c8f039706b71366f54bb879a8b9a01745dab0511c11d91bef773c2dddc216881

    • SHA512

      939671a3336e29460244a3593a3a0e6925625207ec46fe31ac5864bbf28ceba0a9741e616d25a8625742f442f14dd351ecbe8610d62281e47d3c1d27a4e111f1

    • SSDEEP

      49152:QsbBUcmzPnap2/GlHv0gm25LIXaRmySHyMW:QsVft26HvdTUXaRm3SM

    Score
    10/10
    amadeye76b71evasiontrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral12

    • Target

      Small Malwares/9217037dc9/explortu.exe

    • Size

      1.8MB

    • MD5

      5a4619d13c41a14b933c591abed16e35

    • SHA1

      1b6a0c0e1e1187f6e42980fd3bf7de05b1d4cff1

    • SHA256

      ccdc802404647caa363f5e251cb2c683ea5a8d6f16d682dfb8833a6f77016c6f

    • SHA512

      5c2b22ad8feface5940e54a766d84d22a818bb0a727b5e327556fced1489966f07c80bf7a6050da362048e105273a8fcc55ee010d840aa9e3fcb6b05ee5664d6

    • SSDEEP

      49152:b9rwijl1WSjW3wTAfPWUdsPGYvOzo7YwF:b9cih1WSjW3+AnIOYGoYY

    Score
    10/10
    amadey0e6740evasiontrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13

    • Target

      Small Malwares/b9695770f1/Dctooux.exe

    • Size

      493KB

    • MD5

      b7a26c9dadcbae2e051249a60f140d13

    • SHA1

      a182b26486812a906c2ffa378a80757ed80eee31

    • SHA256

      962cca9204f7efb95be4e5527de264977482414640bb5e8b56113036fe280460

    • SHA512

      b65e4187178031e705f2cf9a64a248331b4ad491549fd7ed82b521c9d4421eb9b7a85b486d633681a76f830db5a79177daee15efd59f0c0efe311337343781a2

    • SSDEEP

      6144:if0tTd7LNEY+uVKBt2vZuRS+4nBDfKxc+rWC8+LtmImC8BG0qEjWYkH1WT/:iCTd/Nz+usBshu74lfH+yCrC97xkg

    Score
    10/10
    amadey9a3efctrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

5
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

7
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

8
T1012

System Information Discovery

8
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks