Overview

overview

10

Static

static

1

d3e1e0659f...09.exe

windows7-x64

10

d3e1e0659f...09.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09.zip

  • Size

    749KB

  • Sample

    230321-r1kmdadd2w

  • MD5

    c060aabd9f6a1d22eada869b44f1a54c

  • SHA1

    4afcab319f7017348483c796d03e0985681fad24

  • SHA256

    d2d3058a2a175ff00b4da1fbbef586d5d9ab1b61c429357e1efa97ecce1ba815

  • SHA512

    aaa3ddf23f14bd451dbc47ab6552380eee0adccf42b7178b90238a53f68d66df11e25eb10b589f263a510ab54b53340b2ac5da7599e074fb36c37364ee00d56d

  • SSDEEP

    12288:Jc1Yn83Za25pf1JbTLHHz22udFUPjlUPeb/S1Nbp+gP9PCV8/JKL5KO9u+ZBvxp4:JcK8paMX9TLHEds5gZNbp+gP9PCGBOKz

Score
10/10
amadeypseudomanuscryptloaderspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Targets

    • Target

      d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09.exe

    • Size

      1.5MB

    • MD5

      9b8786c9e74cfd314d7fe9fab571d451

    • SHA1

      e5725184c2da0103046f44c211cc943582c1b2b2

    • SHA256

      d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

    • SHA512

      9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

    • SSDEEP

      12288:0uKd2SU1qQFhpGf1U1gYZMt4TwIwwNjCBCTIXFgpWW5Gm41jKmejWYzHWsd+1Ys2:NKdKUYLm7dsTccLa1mmerbED

    Score
    10/10
    pseudomanuscryptloaderamadeyspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detects PseudoManuscrypt payload

      loader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

      loaderpseudomanuscrypt

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks