amadey

Resubmissions

14-11-2022 12:34

221114-pr4msahf27 10

14-11-2022 09:44

221114-lqklqsge48 10

Sharing

Copy URL

Twitter E-mail

General

Target

242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.zip
Size

2.9MB
Sample

221114-lqklqsge48
MD5

ca8ba9678740a88b7ea1be1dd2945700
SHA1

b40ac89c4913e281afd07a9f6ab9065491f07817
SHA256

24dc074176cdd1b4d8159333443508a5a45160f6e1f75b5bd9f5824f2fda51ed
SHA512

3aeeb4bc5c18105ce58c17c306729d6a4ec2a85d698e5fa9bd6177cff0d40f8e62c44900f88c489bf711e4397588ea4cb3ce6752c31e690e499b12e19988e7d1
SSDEEP

49152:kcKrcU6nLGsbcGVWhWfhyxnZg1aFWP7ljTM7zXH1iitjUNomGzseBn2:hKrcU6nL3xDyVHkPxjTM7z38MjUNJmB2

Malware Config

Extracted

Family

nullmixer

http://sokiran.xyz/

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Extracted

Family

vidar

Version

55.6

Botnet

1679

https://t.me/seclab_new

https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh

Attributes

profile_id
1679

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

vidar

Version

55.6

Botnet

937

https://t.me/seclab_new

https://raw.githubusercontent.com/sebekeloytfu/simple-bash-scripts/master/calculator.sh

Attributes

profile_id
937

Targets

- Target
  
  242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499.exe
- Size
  
  3.0MB
- MD5
  
  70800f0e430d4c9ae411aa87ef26870d
- SHA1
  
  ae3108303791bf71f3d8a22a81950f56d064ec60
- SHA256
  
  242b050cc122233e783283296a736b689acfb116c68047c52252a012ba322499
- SHA512
  
  1746b4407479ab721c7df75bce318fc0251154732e988bd92a65a686da20f71cd7f9705e5a37bf939f4aa5bc64a722b8a73465c58517dc254377a28d20ac2c4c
- SSDEEP
  
  49152:xcBOPkZVi7iKiF8cUvFyPIbUgwvnJTn13QTNyfk5u4ocZ12EwJ84vLRaBtIl9mTO:xsri7ixZUvFyPIbYvnZnpQocu4xZ1FC3
Score

10^/10

amadey fabookie nullmixer privateloader smokeloader tofsee vidar 1679 933 aspackv2 backdoor dropper evasion loader persistence spyware stealer themida trojan upx vmprotect nymaim 937
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Fabookie payload
- Detects Smokeloader packer
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- NyMaim
  NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
  trojan nymaim
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Nirsoft
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Fabookie payload

Detects Smokeloader packer

Fabookie

Modifies Windows Defender Real-time Protection settings

NullMixer

NyMaim

PrivateLoader

Process spawned unexpected child process

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Tofsee

Vidar

Nirsoft

Vidar Stealer

ASPack v2.12-2.42

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

UPX packed file

VMProtect packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Adds Run key to start application

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2