General

  • Target

    a348405ef5647d9a654b018bf9cfa600N.exe

  • Size

    317KB

  • Sample

    240830-1v8axsxhrg

  • MD5

    a348405ef5647d9a654b018bf9cfa600

  • SHA1

    e60c3b614be9efc354c71de9e724ed3142229f83

  • SHA256

    e7f79c712f8a03de49f43ef811f82cc713c03f1283b550052ec6c48ba1307724

  • SHA512

    587686cc56b566fa4db51c2a25ab28dfcc0c23d0b343834492ec75fa95ba41418385f38b5fa54cdf601f96a2e0aab9c38b655c15ac5a7e330f013edd2a9abb69

  • SSDEEP

    3072:vSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2:vPA6wxmuJspr2lb6

Malware Config

Targets

    • Target

      a348405ef5647d9a654b018bf9cfa600N.exe

    • Size

      317KB

    • MD5

      a348405ef5647d9a654b018bf9cfa600

    • SHA1

      e60c3b614be9efc354c71de9e724ed3142229f83

    • SHA256

      e7f79c712f8a03de49f43ef811f82cc713c03f1283b550052ec6c48ba1307724

    • SHA512

      587686cc56b566fa4db51c2a25ab28dfcc0c23d0b343834492ec75fa95ba41418385f38b5fa54cdf601f96a2e0aab9c38b655c15ac5a7e330f013edd2a9abb69

    • SSDEEP

      3072:vSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2:vPA6wxmuJspr2lb6

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks