andromeda | 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae | Triage

Submit
Reports

Overview

overview

Static

static

3

3272b28489...ae.exe

windows7-x64

3272b28489...ae.exe

windows10-2004-x64

Sharing

General

Target

3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
Size

80KB
Sample

241127-qx27kssjgn
MD5

7cdff1827f0a2e77a0d715f5951558be
SHA1

9a277d0c2d3ec8f61de77c16d138de7b5367a1c3
SHA256

3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae
SHA512

62675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2
SSDEEP

1536:BxR5bM9oLiCMsJozgKWNJ4NJxPMg2o1Ej7j:BP5bphozgKWNJ4NJxPR1A7j

Score

10^/10

andromeda backdoor botnet discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe

Resource

win7-20240903-en

andromeda backdoor botnet discovery

windows7-x64

9 signatures

120 seconds

Behavioral task

behavioral2

Sample

3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe

Resource

win10v2004-20241007-en

andromeda backdoor botnet discovery persistence

windows10-2004-x64

11 signatures

120 seconds

Malware Config

Targets

- Target
  
  3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
- Size
  
  80KB
- MD5
  
  7cdff1827f0a2e77a0d715f5951558be
- SHA1
  
  9a277d0c2d3ec8f61de77c16d138de7b5367a1c3
- SHA256
  
  3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae
- SHA512
  
  62675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2
- SSDEEP
  
  1536:BxR5bM9oLiCMsJozgKWNJ4NJxPMg2o1Ej7j:BP5bphozgKWNJ4NJxPR1A7j
Score

10^/10

andromeda backdoor botnet discovery persistence
- Andromeda family
  andromeda
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscovery

behavioral2

andromedabackdoorbotnetdiscoverypersistence

© 2018-2024

Terms | Privacy