Overview

overview

10

Static

static

3

99f3f207f4...f1.exe

windows7-x64

3

99f3f207f4...f1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    99f3f207f46f8ad298b3c77c406da5d7248b6cd6498eccddc988eb7a5ba708f1.exe

  • Size

    88KB

  • Sample

    241120-wph2mavpdk

  • MD5

    9b393f87a7d80c62366167c3218a4a6e

  • SHA1

    afb1650204d241e1b78a64ab01b5a4a3d333de96

  • SHA256

    99f3f207f46f8ad298b3c77c406da5d7248b6cd6498eccddc988eb7a5ba708f1

  • SHA512

    edd4780642eee3b1fa5b15a12ec513ad6560460812ff6c2df4624c59da1cf269936c1f9f56911664f66d486ef5ffa5b611c1504015e05175d358f22543bc82f9

  • SSDEEP

    1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yE7:6D0ctAVA/bmxIMnoKjyR/N7

Score
10/10
andromedabackdoorbotnetdiscoverypersistenceupx

Malware Config

Targets

    • Target

      99f3f207f46f8ad298b3c77c406da5d7248b6cd6498eccddc988eb7a5ba708f1.exe

    • Size

      88KB

    • MD5

      9b393f87a7d80c62366167c3218a4a6e

    • SHA1

      afb1650204d241e1b78a64ab01b5a4a3d333de96

    • SHA256

      99f3f207f46f8ad298b3c77c406da5d7248b6cd6498eccddc988eb7a5ba708f1

    • SHA512

      edd4780642eee3b1fa5b15a12ec513ad6560460812ff6c2df4624c59da1cf269936c1f9f56911664f66d486ef5ffa5b611c1504015e05175d358f22543bc82f9

    • SSDEEP

      1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yE7:6D0ctAVA/bmxIMnoKjyR/N7

    Score
    10/10
    discoveryandromedabackdoorbotnetpersistenceupx

    • Andromeda family

      andromeda

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

      botnetbackdoorandromeda

    • Detects Andromeda payload.

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks