Overview

overview

10

Static

static

5

591f67eb1e...fb.exe

windows7-x64

8

591f67eb1e...fb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe

  • Size

    392KB

  • Sample

    241126-2jmerazlek

  • MD5

    82e2ea96bd980f31e38f51638b635e7f

  • SHA1

    e5001915a2516fe86c6d04822bc669919991ee24

  • SHA256

    591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb

  • SHA512

    564f98b8265597c93acdc5d6426089a5441598d38aac13ab1e16ec074b8291c3e8e176ded09bdf5eb24a700a6c1910416cbe45f1426d50a43e50cd4da219d97b

  • SSDEEP

    3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2K:DPA6wxmuJspr2lb6P

Score
10/10
andromedabackdoorbotnetdiscoverypersistenceupx

Malware Config

Targets

    • Target

      591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb.exe

    • Size

      392KB

    • MD5

      82e2ea96bd980f31e38f51638b635e7f

    • SHA1

      e5001915a2516fe86c6d04822bc669919991ee24

    • SHA256

      591f67eb1ec7f3e4fdd98aa87403e02f2d4c2e3dda8c09d60cae5b187449cbfb

    • SHA512

      564f98b8265597c93acdc5d6426089a5441598d38aac13ab1e16ec074b8291c3e8e176ded09bdf5eb24a700a6c1910416cbe45f1426d50a43e50cd4da219d97b

    • SSDEEP

      3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2K:DPA6wxmuJspr2lb6P

    Score
    10/10
    discoverypersistenceupxandromedabackdoorbotnet

    • Andromeda family

      andromeda

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

      botnetbackdoorandromeda

    • Detects Andromeda payload.

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks