General
-
Target
2250e2ef3a47d0280080a3e4026e7a519817376f35893f47f51986838358ddef
-
Size
222KB
-
Sample
221117-xhwvksfc68
-
MD5
c19315c6b8b082f067cc858d2795efdf
-
SHA1
63e2b8622f30da95a372acbd9159bda6cb3e1eec
-
SHA256
2250e2ef3a47d0280080a3e4026e7a519817376f35893f47f51986838358ddef
-
SHA512
936bdc41f2a5c0ea0c95e8a03803b180b43c7f12841fd93b242ebb3bf4f8d231a6833e4f1974bf549584d65776ecb89a83997290f7488093bc6a645e3546f0b6
-
SSDEEP
3072:gYBMxiuEva/ou5eViB1c/EbOQUuZgAYdNOL03p6o1Rf/c8q90JkqpTD:jKmatDc/EbO0hcNOL9o1Rf/cZ9wtp
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Extracted
raccoon
d8f44b07b06da3a90ad87ebc9249718c
http://79.137.205.87/
Targets
-
-
Target
2250e2ef3a47d0280080a3e4026e7a519817376f35893f47f51986838358ddef
-
Size
222KB
-
MD5
c19315c6b8b082f067cc858d2795efdf
-
SHA1
63e2b8622f30da95a372acbd9159bda6cb3e1eec
-
SHA256
2250e2ef3a47d0280080a3e4026e7a519817376f35893f47f51986838358ddef
-
SHA512
936bdc41f2a5c0ea0c95e8a03803b180b43c7f12841fd93b242ebb3bf4f8d231a6833e4f1974bf549584d65776ecb89a83997290f7488093bc6a645e3546f0b6
-
SSDEEP
3072:gYBMxiuEva/ou5eViB1c/EbOQUuZgAYdNOL03p6o1Rf/c8q90JkqpTD:jKmatDc/EbO0hcNOL9o1Rf/cZ9wtp
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-