General

  • Target

    4e528a5d717c4a9908bbe2538db01e0538fccedba8a3fe3fc1fb8c5dbf2004ebN.exe

  • Size

    392KB

  • Sample

    241210-nshahazjfl

  • MD5

    c678c394c12a4715c7e7915bf8410a20

  • SHA1

    f61f2d809d528ea506419389e54ae440942d57c3

  • SHA256

    4e528a5d717c4a9908bbe2538db01e0538fccedba8a3fe3fc1fb8c5dbf2004eb

  • SHA512

    1c1ea98460b84d9c97aea73d782204a433d031bae7c8e23cbba59baadb24c12eb7b0904865bbc3de75e6cd2231ef0beeb249e8ca7bbc5640d4b3a838e694e06f

  • SSDEEP

    3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2:DPA6wxmuJspr2lb6

Malware Config

Targets

    • Target

      4e528a5d717c4a9908bbe2538db01e0538fccedba8a3fe3fc1fb8c5dbf2004ebN.exe

    • Size

      392KB

    • MD5

      c678c394c12a4715c7e7915bf8410a20

    • SHA1

      f61f2d809d528ea506419389e54ae440942d57c3

    • SHA256

      4e528a5d717c4a9908bbe2538db01e0538fccedba8a3fe3fc1fb8c5dbf2004eb

    • SHA512

      1c1ea98460b84d9c97aea73d782204a433d031bae7c8e23cbba59baadb24c12eb7b0904865bbc3de75e6cd2231ef0beeb249e8ca7bbc5640d4b3a838e694e06f

    • SSDEEP

      3072:V+ESQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lbaV2:DPA6wxmuJspr2lb6

    • Andromeda family

    • Andromeda, Gamarue

      Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    • Detects Andromeda payload.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks