Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    1.5MB

  • Sample

    230315-nv7ceafa4s

  • MD5

    94b07cea9a210e7bab966658b2dd1c86

  • SHA1

    efa95afeaf9c75645b67b0814a555e086fe2bece

  • SHA256

    18ab77b46f43847e5544dca47ad24c7a241d3ddf20f9a4ed5f663c477a1420e7

  • SHA512

    60aa974435e264d682e9d5fc42812025337d485ab451aea004310b5e83cfa8c8bbe8f464f37646561c1344cae9b64b580a02c57a7647eae838f7046737d1af95

  • SSDEEP

    12288:6FursW8SLl2NuGQwd8JiUn/5EwrTbgL5TtgC6fplh5ttiCja5pu/ouXYxEUc1FS9:ocB4uGMdhCE7liCUUzS1j

Score
10/10
amadeypseudomanuscryptdiscoveryloaderspywarestealertrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Targets

    • Target

      file.exe

    • Size

      1.5MB

    • MD5

      94b07cea9a210e7bab966658b2dd1c86

    • SHA1

      efa95afeaf9c75645b67b0814a555e086fe2bece

    • SHA256

      18ab77b46f43847e5544dca47ad24c7a241d3ddf20f9a4ed5f663c477a1420e7

    • SHA512

      60aa974435e264d682e9d5fc42812025337d485ab451aea004310b5e83cfa8c8bbe8f464f37646561c1344cae9b64b580a02c57a7647eae838f7046737d1af95

    • SSDEEP

      12288:6FursW8SLl2NuGQwd8JiUn/5EwrTbgL5TtgC6fplh5ttiCja5pu/ouXYxEUc1FS9:ocB4uGMdhCE7liCUUzS1j

    Score
    10/10
    pseudomanuscryptloaderamadeydiscoveryspywarestealertrojanvmprotect

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects PseudoManuscrypt payload

      loader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

      loaderpseudomanuscrypt

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks