Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    225KB

  • Sample

    221223-vjj63aca2v

  • MD5

    6a59c469713da7bb9abc4b8f2e8ac6da

  • SHA1

    e87a23b50b3f3a41c50d62e558153d3a3010a02b

  • SHA256

    3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

  • SHA512

    16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

  • SSDEEP

    3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0

Score
10/10
amadeychinese_generic_botnetremcosrhadamanthys12-22-22bootkitbotnetevasionpersistenceratstealertrojan

Malware Config

Extracted

Family

amadey

Version

3.60

C2

193.42.33.28/game0ver/index.php

Extracted

Family

remcos

Botnet

12-22-22

C2

194.180.48.225:1024

Attributes
  • audio_folder

    iujhgv

  • audio_path

    %Temp%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    lkjhg.exe

  • copy_folder

    sdfghjk

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    oijkhb.dat

  • keylog_flag

    false

  • keylog_folder

    hgfds

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    yuhgfd-9Z85LD

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    lkjhg

  • screenshot_path

    %AppData%

  • screenshot_time

    5

  • startup_value

    ijhgf

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    bank

Targets

    • Target

      file.exe

    • Size

      225KB

    • MD5

      6a59c469713da7bb9abc4b8f2e8ac6da

    • SHA1

      e87a23b50b3f3a41c50d62e558153d3a3010a02b

    • SHA256

      3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

    • SHA512

      16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

    • SSDEEP

      3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0

    Score
    10/10
    amadeychinese_generic_botnetremcosrhadamanthys12-22-22bootkitbotnetevasionpersistenceratstealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect rhadamanthys stealer shellcode

    • Generic Chinese Botnet

      A botnet originating from China which is currently unnamed publicly.

      botnetchinese_generic_botnet

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • UAC bypass

      evasiontrojan

    • Chinese Botnet payload

      botnet

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks