Overview

overview

10

Static

static

3

99aba006f0...96.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    99aba006f0b570e62e072dca26996e92b876227bc6f4b85117d39adec3cb4a96

  • Size

    642KB

  • Sample

    241105-gfzkpavnex

  • MD5

    53f933f011bc702fbc354f4392049d29

  • SHA1

    2337f02d13c7078b38291eb169c371a507011fb5

  • SHA256

    99aba006f0b570e62e072dca26996e92b876227bc6f4b85117d39adec3cb4a96

  • SHA512

    ddb6a58654307dc76b03414b0a3ea8a72dae5aa4d50fa7c7ca298eb1908c0b4f0e17a65d73f5dec362cfeec1786597bed751eee00cb33cdb70cb469995386e94

  • SSDEEP

    12288:9MrLy90A2Z/OzbtCrPeFotrt6midImA2wqK6n3/S+rkU67zVnMRDn:Cyt2szbgrmypidIX+rvgpnMRDn

Score
10/10
amadeyhealerredlinesmokeloader88c8bbgotadbackdoordiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

gotad

C2

77.91.124.84:19071

Attributes
  • auth_value

    3fb7c1f3fcf68bc377eae3f6f493a684

Targets

    • Target

      99aba006f0b570e62e072dca26996e92b876227bc6f4b85117d39adec3cb4a96

    • Size

      642KB

    • MD5

      53f933f011bc702fbc354f4392049d29

    • SHA1

      2337f02d13c7078b38291eb169c371a507011fb5

    • SHA256

      99aba006f0b570e62e072dca26996e92b876227bc6f4b85117d39adec3cb4a96

    • SHA512

      ddb6a58654307dc76b03414b0a3ea8a72dae5aa4d50fa7c7ca298eb1908c0b4f0e17a65d73f5dec362cfeec1786597bed751eee00cb33cdb70cb469995386e94

    • SSDEEP

      12288:9MrLy90A2Z/OzbtCrPeFotrt6midImA2wqK6n3/S+rkU67zVnMRDn:Cyt2szbgrmypidIX+rvgpnMRDn

    Score
    10/10
    amadeyhealerredlinesmokeloader88c8bbgotadbackdoordiscoverydropperevasioninfostealerpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Healer family

      healer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Smokeloader family

      smokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks