Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    4.0MB

  • Sample

    230202-m2zepshg71

  • MD5

    c4b49f766394903f86c495dcb4c4609d

  • SHA1

    aef887b3ff017d474506aa6089cedc675e78bdc1

  • SHA256

    7ae3d2164fd38eec98477b6b1c89bbf4adf709477efbe1ea4b7482ff0077620c

  • SHA512

    c26989cb8144e4f98ab29da4970385b10aa7194b0a2116abf0e310a3604e80ce962784a2eb6c9e09d0d2f664ed894f069fd5034b8274cf8892a53a03804d27a0

  • SSDEEP

    98304:SJ3wJW9uaoMgeeDI6l1AdeAERLipZM/dFAyNCb:SJA5aoMgeR6lyeAERLEM/Cb

Score
10/10
amadeydcratsmokeloaderbackdoorcollectiondiscoveryinfostealerratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Targets

    • Target

      tmp

    • Size

      4.0MB

    • MD5

      c4b49f766394903f86c495dcb4c4609d

    • SHA1

      aef887b3ff017d474506aa6089cedc675e78bdc1

    • SHA256

      7ae3d2164fd38eec98477b6b1c89bbf4adf709477efbe1ea4b7482ff0077620c

    • SHA512

      c26989cb8144e4f98ab29da4970385b10aa7194b0a2116abf0e310a3604e80ce962784a2eb6c9e09d0d2f664ed894f069fd5034b8274cf8892a53a03804d27a0

    • SSDEEP

      98304:SJ3wJW9uaoMgeeDI6l1AdeAERLipZM/dFAyNCb:SJA5aoMgeR6lyeAERLEM/Cb

    Score
    10/10
    amadeysmokeloaderbackdoorspywarestealertrojanvmprotectdcratcollectiondiscoveryinfostealerrat

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detects Smokeloader packer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks