General

  • Target

    9b3b6ea864f32e5f1b18e77d3a9d97b407240c8280cd408d110955906646cdcd

  • Size

    392KB

  • Sample

    241116-a7n5pszncm

  • MD5

    e06b81c208a137638b171074d2a7e221

  • SHA1

    54852fec0478ff97aad476be9af09f36034bfa79

  • SHA256

    9b3b6ea864f32e5f1b18e77d3a9d97b407240c8280cd408d110955906646cdcd

  • SHA512

    3fc602a654a0a8089ccfa32c8d1ce06c659c23077d53fd32833f65ffec7497d262686212dc9d48a5784be4357966063eac9b1d2ba034ac17f44ef6c47b84566d

  • SSDEEP

    3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2:DPA6wxmuJspr2lb6

Malware Config

Targets

    • Target

      9b3b6ea864f32e5f1b18e77d3a9d97b407240c8280cd408d110955906646cdcd

    • Size

      392KB

    • MD5

      e06b81c208a137638b171074d2a7e221

    • SHA1

      54852fec0478ff97aad476be9af09f36034bfa79

    • SHA256

      9b3b6ea864f32e5f1b18e77d3a9d97b407240c8280cd408d110955906646cdcd

    • SHA512

      3fc602a654a0a8089ccfa32c8d1ce06c659c23077d53fd32833f65ffec7497d262686212dc9d48a5784be4357966063eac9b1d2ba034ac17f44ef6c47b84566d

    • SSDEEP

      3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2:DPA6wxmuJspr2lb6

    • Andromeda family

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks