Overview

overview

10

Static

static

3

hash.bin

windows7-x64

3

hash.bin

windows10-2004-x64

3

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    adobe_photoshop_cc_2019_repack_by_tomo.rar

  • Size

    3.9MB

  • Sample

    240717-zq1jvaydpn

  • MD5

    90f765eeb909f4fec092b5890ea9cdd6

  • SHA1

    f53b0f939a275ad6988f9514d8b0ae72b3cabc85

  • SHA256

    24eff2bc4ab82c6337f4815505cc1d05e5e88c17f411213c5a926e971d895b67

  • SHA512

    1643b3a0d9fe7a9607d653dab2e544ba8cabc3e115a91fb32fc8fae606580c5ba69df0e71c5c0842817b3956a7a395f3a8edd375d366fb9869fc2e0cc271b040

  • SSDEEP

    98304:Ua9DiRXcYt/MYGeApFi6X4Lu4WaYrPCdWiP5LYSkNuJfbY:t9DacYHATi6XPrPcWIcSXJbY

Score
10/10
amadeyprivateloaderredlinestealctofsee4dd39dfunnylogsdiller cloud (tg: @logsdillabot)discoveryevasionexecutioninfostealerloaderpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

77.105.135.107:3445

Extracted

Family

stealc

Botnet

funny

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Targets

    • Target

      hash.bin

    • Size

      265KB

    • MD5

      da77b20827a5e2417faa875cabd12039

    • SHA1

      5e5cc661ec89f603594aae11f3b9d7b93f2565f9

    • SHA256

      8694ef68bd0f658833018951f2c88a3d37d9da936f3fd3a21b9c0b5f167e61ef

    • SHA512

      deb8a71ccc091c78d36416c4c63191f3320226800f2cad49d6531664e4421c87c05082ffd5d9565528da5744c151044ecbb98df91a9e6ef985b676cfb117eb85

    • SSDEEP

      6144:BVCXzKcZWY7OgezkGDOM3jQWot7i6GBySaQDYGmOkfl40dPs:qX+cRSgezkmOnx7xFSaFOql40G

    Score
    3/10
    behavioral1behavioral2

    • Target

      setup.exe

    • Size

      797.3MB

    • MD5

      67b884b87a049ea9053b89232116fb73

    • SHA1

      2c3bb5d5cdc496a17824d12c76d02c6c95be59ce

    • SHA256

      adae648d3e5026aa206869543d51b6532c9c964e7f047b97b1df1385c1866afc

    • SHA512

      87cd6da48660c6f4805b275413150e7252ce7a55c45bd739a19c51d9b98a3428bd7bc3ddf3f463ff5d7137804432d7b7eb91f419a05ca5244f946bb3af286495

    • SSDEEP

      98304:XZMBNQE6FC/d3s73QWE15+lOG3WX1ILAor+GHzOsqnZkNcMtj:GAC/d3s7gT1zG3WX1mrHXqnZmtj

    Score
    10/10
    evasionamadeyprivateloaderredlinestealctofsee4dd39dfunnylogsdiller cloud (tg: @logsdillabot)discoveryexecutioninfostealerloaderpersistencespywarestealerthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix

Tasks