Overview

overview

10

Static

static

3cf6f5f638...a7.exe

windows7-x64

10

3cf6f5f638...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

  • Size

    184KB

  • Sample

    221123-zcxwssff3v

  • MD5

    06e4a064149db5f03b1b6894e51acbfd

  • SHA1

    dfeeb9bd3d983c478e2b4f54ea89b2bfcf884ee8

  • SHA256

    abe59b6e7bb8b13900439d428c1164e9c16839293bb54541cf4182c97746b030

  • SHA512

    349caaa3eaa94f0b568d862cd21190fe61c19e0e03df574d66ee1806234a7205a9a0583634d5383b052f2266bd0cf9ec389327faf45ef0d4932794795029f7e2

  • SSDEEP

    3072:HQaYecJc+mkE2nNWEcmqzGJXxggE/426iYnzLW4OcG5dRfHnjt57gEIXR/FX:HQaYNmkJnNWEc9zoXxm4XzLNOcWPfHnu

Score
10/10
amadeynetwirebotnetcollectionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

185.246.221.126/i4kvjd3xc/index.php

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Fs_Spread_0001

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • Size

      244KB

    • MD5

      529dd7d863272e41eb4e8319861ac846

    • SHA1

      3efb8f465ebcbfe0ea2b36aa4e0021f1c26a9a38

    • SHA256

      3cf6f5f638bb25f273f23bfd61f6e421a840be57d0f9f7507613615761f10ba7

    • SHA512

      89892f6afabbd558fc84787e2f2aee93ddf048997b343150ed9e0fe8c033236d8f0ac2c167685a48fa5dd686ba2f8a1394b02a875b6e3e3b7cc31e611c16d740

    • SSDEEP

      6144:wuTL+CSPjWEbvxm4XHLNOcWPfJnj7zIo3B2:wuT7SP/bvYE51WPfVjwIB2

    Score
    10/10
    amadeynetwirebotnetcollectionpersistenceratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks