Resubmissions

05-11-2024 18:14

241105-wvkseawbmh 10

04-11-2024 20:37

241104-zecnmsxcpn 10

General

  • Target

    6062be2d025d361d3f9e55025df28d480bf4af4173370ab7f864edd5607b8ff2.zip

  • Size

    1.5MB

  • Sample

    241104-zecnmsxcpn

  • MD5

    8bf05c5115a5279eb89add1caf7dc84d

  • SHA1

    928f049b2e5ec6468239e8c850f27671010783ac

  • SHA256

    5779b049d35e52697d47f7fac06de683bc264be2a57c27106b8e063f8f0fc5be

  • SHA512

    b5439ddfa6fb4984d90b048696b981a4deafcc1cae094678786ea3def5341d6ce250bfd5ef5f2208d0786db11f947f3e0bb5e5b5b43a9a90e7dff239ae62e134

  • SSDEEP

    49152:l/5YI2u6oDHZxqoVRZq2d3YWM12effjAtsR:l/ztvDHZxq8fhy2OAtsR

Malware Config

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

Botnet

04d170

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Targets

    • Target

      6062be2d025d361d3f9e55025df28d480bf4af4173370ab7f864edd5607b8ff2

    • Size

      1.6MB

    • MD5

      438aa744ad50d178d14cff58650170d7

    • SHA1

      c7b2bb880271ba1d802bf380096e9c21d906b104

    • SHA256

      6062be2d025d361d3f9e55025df28d480bf4af4173370ab7f864edd5607b8ff2

    • SHA512

      4970d8bf30f68d93eaddbab400208e40cf5d7d8401d8e4787e61e0aee9feccb22616d73716ed49ae940b63e53d2910a391e8bdb97e413c25af76e6f1a5e3ef7b

    • SSDEEP

      49152:S+rE9uKjA588ZoQsdt2ntZOHPFbCfOXmG1Fe:Do9xMXiv2tZOHPxCw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • Mystic family

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Detected potential entity reuse from brand PAYPAL.

    • Detected potential entity reuse from brand STEAM.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks