Overview

overview

10

Static

static

8d436a8813...8e.exe

windows7-x64

10

8d436a8813...8e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e

  • Size

    180KB

  • Sample

    221126-be2e1abb85

  • MD5

    456ce5efd71c4748bc22caf14b9856b5

  • SHA1

    8d6f45376f10f3c30a1a565e17894646c494c4b5

  • SHA256

    0ad886fba50d53b85e93805323db0e45f48cd413213b43df1eb9c4e3f9b0fc02

  • SHA512

    24cdf9858826ec49fa0b721967b66290fb2d72ad5cecc4596f57f6bba919c09d4566b0bb6737b0a029ec42bf9b6dd1202f54378dbc4df103fe0303c964fc750d

  • SSDEEP

    3072:XH9L7yRAVQ1aEFmQLYK77ZxXtnHLWIwKc0YTdfVOB4aHHQG70WTvqqVCQMIap9UR:3FWAVyaQLb3pKNb1Rw4IB7jqqV0ZDUy4

Score
10/10
amadeylaplascollectiondiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.17/hfk3vK9/index.php

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb

Targets

    • Target

      8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e

    • Size

      237KB

    • MD5

      0460990761ea0b12df9d8133fb116bd7

    • SHA1

      16d234e218b4d7963e94d5a8c1b6b273fc538f19

    • SHA256

      8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e

    • SHA512

      0aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32

    • SSDEEP

      3072:rEW2zikDTjDqowd5u/NGVQUYocEKc0YTdfPOB4aHHQG70W8BVvFCEu:UDTjDR5Ub1Rm4IB7cBVNCE

    Score
    10/10
    amadeycollectionspywarestealertrojanlaplasdiscoverypersistence

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • Laplas Clipper

      Laplas is a crypto wallet stealer with two variants written in Golang and C#.

      stealerlaplas

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks