Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9b3a50dc10eb0e67144d29b43b6be6ef932b4d3486659e5c699e72a82b063dd9

  • Size

    4.1MB

  • Sample

    230202-17s2rsbf6s

  • MD5

    0a36af6655f76fdd5dc78ebbf85e2752

  • SHA1

    79ad61776ec50945c1ab27bf434a8c0632003a1e

  • SHA256

    9b3a50dc10eb0e67144d29b43b6be6ef932b4d3486659e5c699e72a82b063dd9

  • SHA512

    a3f3924c00a241aaa60c598013c8338f7c20f2fa0e43feaa30f9a2b94480279b3b9c698dc3adffa5b3953cd07f0798d618c28891b499d1f473fc47b5f47f63f8

  • SSDEEP

    49152:Q0vYGL/PdGnWYzlXaDSvcDNPZSUO59aukb57R2v2brVZM18s2916dBK7SkBYHMqr:Pvb/PW3lWI4pjy9aTR42b7iA5aMuxk

Score
10/10
amadeydcratfabookiesmokeloaderbackdoorcollectiondiscoveryinfostealerpersistenceratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Targets

    • Target

      9b3a50dc10eb0e67144d29b43b6be6ef932b4d3486659e5c699e72a82b063dd9

    • Size

      4.1MB

    • MD5

      0a36af6655f76fdd5dc78ebbf85e2752

    • SHA1

      79ad61776ec50945c1ab27bf434a8c0632003a1e

    • SHA256

      9b3a50dc10eb0e67144d29b43b6be6ef932b4d3486659e5c699e72a82b063dd9

    • SHA512

      a3f3924c00a241aaa60c598013c8338f7c20f2fa0e43feaa30f9a2b94480279b3b9c698dc3adffa5b3953cd07f0798d618c28891b499d1f473fc47b5f47f63f8

    • SSDEEP

      49152:Q0vYGL/PdGnWYzlXaDSvcDNPZSUO59aukb57R2v2brVZM18s2916dBK7SkBYHMqr:Pvb/PW3lWI4pjy9aTR42b7iA5aMuxk

    Score
    10/10
    amadeyfabookiesmokeloaderbackdoorspywarestealertrojanvmprotectdcratcollectiondiscoveryinfostealerpersistencerat

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Fabookie payload

    • Detects Smokeloader packer

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks