Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Resubmissions

25-02-2023 05:45

230225-gfvxhacd32 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    235KB

  • Sample

    230225-gfvxhacd32

  • MD5

    ebd584e9c1a400cd5d4bafa0e7936468

  • SHA1

    d263c62902326425ed17855d49d35003abcd797b

  • SHA256

    ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

  • SHA512

    e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

  • SSDEEP

    6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ

Score
10/10
amadeyaurorapersistencepyinstallerspywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

aurora

C2

212.87.204.93:8081

Extracted

Language
ps1
Source
URLs
exe.dropper

https://evilextractor.com/wp-content/uploads/2022/12/Python39-322.zip
exe.dropper

https://evilextractor.com/wp-content/uploads/2023/02/Parameter.zip
exe.dropper

https://github.com/tedburke/CommandCam/archive/refs/heads/master.zip

Targets

    • Target

      tmp

    • Size

      235KB

    • MD5

      ebd584e9c1a400cd5d4bafa0e7936468

    • SHA1

      d263c62902326425ed17855d49d35003abcd797b

    • SHA256

      ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

    • SHA512

      e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

    • SSDEEP

      6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ

    Score
    10/10
    amadeyaurorapersistencepyinstallerspywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks