andromeda | 5d8d767674e0c750a7079db17d3fb54859b6c8095935d7176af8a7c11a77b84f | Triage

Submit
Reports

Overview

overview

Static

static

3

5d8d767674...4f.exe

windows7-x64

5d8d767674...4f.exe

windows10-2004-x64

Sharing

General

Target

5d8d767674e0c750a7079db17d3fb54859b6c8095935d7176af8a7c11a77b84f.exe
Size

168KB
Sample

241202-kwc86stpaj
MD5

25aec122773f3a73c32ed71402fef96f
SHA1

c3773e2413975f4c4c98d91df9a690ef7390a1b2
SHA256

5d8d767674e0c750a7079db17d3fb54859b6c8095935d7176af8a7c11a77b84f
SHA512

aaa06b4cad26ef1dd7e496559a61ec6420eaefa2afacd8e59bc65468f1eee1229e38f967d07800bcd589b23423539fb29758e84c938daaa0bd2e2e0cadf5a0e4
SSDEEP

1536:8haN2fh0+TTQInoWGJcJJleqt1+Wgx3lFnHmleHSWgLAyXnnLm+AnqO5EU:2++TFnoWTTYBB1hHgN1Anq6

Score

10^/10

andromeda backdoor botnet discovery persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5d8d767674e0c750a7079db17d3fb54859b6c8095935d7176af8a7c11a77b84f.exe

Resource

win7-20241023-en

andromeda backdoor botnet discovery

windows7-x64

8 signatures

120 seconds

Behavioral task

behavioral2

Sample

5d8d767674e0c750a7079db17d3fb54859b6c8095935d7176af8a7c11a77b84f.exe

Resource

win10v2004-20241007-en

andromeda backdoor botnet discovery persistence

windows10-2004-x64

10 signatures

120 seconds

Malware Config

Targets

- Target
  
  5d8d767674e0c750a7079db17d3fb54859b6c8095935d7176af8a7c11a77b84f.exe
- Size
  
  168KB
- MD5
  
  25aec122773f3a73c32ed71402fef96f
- SHA1
  
  c3773e2413975f4c4c98d91df9a690ef7390a1b2
- SHA256
  
  5d8d767674e0c750a7079db17d3fb54859b6c8095935d7176af8a7c11a77b84f
- SHA512
  
  aaa06b4cad26ef1dd7e496559a61ec6420eaefa2afacd8e59bc65468f1eee1229e38f967d07800bcd589b23423539fb29758e84c938daaa0bd2e2e0cadf5a0e4
- SSDEEP
  
  1536:8haN2fh0+TTQInoWGJcJJleqt1+Wgx3lFnHmleHSWgLAyXnnLm+AnqO5EU:2++TFnoWTTYBB1hHgN1Anq6
Score

10^/10

andromeda backdoor botnet discovery persistence
- Andromeda family
  andromeda
- Andromeda, Gamarue
  Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
  botnet backdoor andromeda
- Detects Andromeda payload.
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

andromedabackdoorbotnetdiscovery

behavioral2

andromedabackdoorbotnetdiscoverypersistence

© 2018-2024

Terms | Privacy