Malware Analysis Report

2024-11-30 23:27

Sample ID 230808-rb72daee4y
Target c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0
SHA256 c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0
Tags
amadey sectoprat systembc persistence rat spyware stealer themida trojan vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0

Threat Level: Known bad

The file c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0 was found to be: Known bad.

Malicious Activity Summary

amadey sectoprat systembc persistence rat spyware stealer themida trojan vmprotect

Amadey

SectopRAT payload

SectopRAT

SystemBC

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Themida packer

VMProtect packed file

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 14:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 14:02

Reported

2023-08-08 14:04

Platform

win10-20230703-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe"

Signatures

Amadey

trojan amadey

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edddegyjjykj.lnk C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\soc64win.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\soc64win.dll, rundll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\BR.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000349051\\BR.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1320 set thread context of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1320 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2756 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 4416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2536 wrote to memory of 4416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2756 wrote to memory of 4840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe
PID 2756 wrote to memory of 4840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe
PID 2756 wrote to memory of 4840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe

"C:\Users\Admin\AppData\Local\Temp\c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\soc64win.dll, rundll

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\soc64win.dll, rundll

C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe

"C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe"

Network

Country Destination Domain Proto
DE 45.9.74.182:80 45.9.74.182 tcp
US 8.8.8.8:53 bejenaru-studio.ro udp
RO 176.126.201.5:80 bejenaru-studio.ro tcp
US 8.8.8.8:53 182.74.9.45.in-addr.arpa udp
US 8.8.8.8:53 5.201.126.176.in-addr.arpa udp
US 8.8.8.8:53 app.nunti-iasi.ro udp
RO 176.126.201.5:443 app.nunti-iasi.ro tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
RU 95.143.190.57:15648 tcp
US 8.8.8.8:53 57.190.143.95.in-addr.arpa udp
RU 5.42.65.67:4298 tcp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/1320-118-0x0000000073B20000-0x000000007420E000-memory.dmp

memory/1320-117-0x0000000000DB0000-0x00000000010E4000-memory.dmp

memory/1320-119-0x00000000058E0000-0x000000000597C000-memory.dmp

memory/1320-120-0x0000000073B20000-0x000000007420E000-memory.dmp

memory/1320-121-0x0000000005870000-0x000000000588C000-memory.dmp

memory/1320-122-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-123-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-125-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-127-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-129-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-131-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-133-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-135-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-137-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-139-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-141-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-143-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-145-0x0000000005870000-0x0000000005885000-memory.dmp

memory/1320-146-0x0000000005860000-0x0000000005870000-memory.dmp

memory/1320-147-0x00000000058B0000-0x00000000058B1000-memory.dmp

memory/2756-148-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2756-149-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2756-150-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2756-151-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2756-152-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000058061\soc64win.dll

MD5 62813c6cab9234e83949fcc563c33b57
SHA1 474c9abc14fea035d0e80128dbd7260f0cbc42b2
SHA256 b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793
SHA512 a29cdda3218566509cfc3d07b50bfe9ece45fd6a57cb12b649b283204191326e30746bc9d33c63b2e8281b65fd1f19cc79092b81e8cd67d593010c3574986542

C:\Users\Admin\AppData\Local\Temp\1000058061\soc64win.dll

MD5 62813c6cab9234e83949fcc563c33b57
SHA1 474c9abc14fea035d0e80128dbd7260f0cbc42b2
SHA256 b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793
SHA512 a29cdda3218566509cfc3d07b50bfe9ece45fd6a57cb12b649b283204191326e30746bc9d33c63b2e8281b65fd1f19cc79092b81e8cd67d593010c3574986542

\Users\Admin\AppData\Local\Temp\1000058061\soc64win.dll

MD5 62813c6cab9234e83949fcc563c33b57
SHA1 474c9abc14fea035d0e80128dbd7260f0cbc42b2
SHA256 b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793
SHA512 a29cdda3218566509cfc3d07b50bfe9ece45fd6a57cb12b649b283204191326e30746bc9d33c63b2e8281b65fd1f19cc79092b81e8cd67d593010c3574986542

\Users\Admin\AppData\Local\Temp\1000058061\soc64win.dll

MD5 62813c6cab9234e83949fcc563c33b57
SHA1 474c9abc14fea035d0e80128dbd7260f0cbc42b2
SHA256 b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793
SHA512 a29cdda3218566509cfc3d07b50bfe9ece45fd6a57cb12b649b283204191326e30746bc9d33c63b2e8281b65fd1f19cc79092b81e8cd67d593010c3574986542

memory/4416-166-0x00007FFC56C40000-0x00007FFC576C4000-memory.dmp

memory/4416-165-0x00007FFC64AE0000-0x00007FFC64AE2000-memory.dmp

memory/4416-167-0x00007FFC622A0000-0x00007FFC622A2000-memory.dmp

memory/4416-164-0x00007FFC64AD0000-0x00007FFC64AD2000-memory.dmp

memory/4416-169-0x00007FFC61580000-0x00007FFC61582000-memory.dmp

memory/4416-168-0x00007FFC622B0000-0x00007FFC622B2000-memory.dmp

memory/4416-170-0x00007FFC61590000-0x00007FFC61592000-memory.dmp

memory/4416-172-0x00007FFC64AF0000-0x00007FFC64AF2000-memory.dmp

memory/4416-173-0x00007FFC56C40000-0x00007FFC576C4000-memory.dmp

memory/1320-177-0x0000000005860000-0x0000000005870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe

MD5 608638750dcc078dbd10555303bcce9f
SHA1 29cf6801805f4b3b643aefda8e3f0a71d041f37e
SHA256 81f4e0d6a70f14c3e07241196bd7f5318e302c28c64ca4bb876f4e25fbc3e5d2
SHA512 333d763d6008ae56c9c2383bff20443ebbbdeca525a62b4e3b7e1acebe260f36e0d806a43f4ea8781c1600707c8bb700760771ca2e9f3c10e2af987141227c58

memory/2756-184-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2756-187-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe

MD5 608638750dcc078dbd10555303bcce9f
SHA1 29cf6801805f4b3b643aefda8e3f0a71d041f37e
SHA256 81f4e0d6a70f14c3e07241196bd7f5318e302c28c64ca4bb876f4e25fbc3e5d2
SHA512 333d763d6008ae56c9c2383bff20443ebbbdeca525a62b4e3b7e1acebe260f36e0d806a43f4ea8781c1600707c8bb700760771ca2e9f3c10e2af987141227c58

C:\Users\Admin\AppData\Local\Temp\1000349051\BR.exe

MD5 608638750dcc078dbd10555303bcce9f
SHA1 29cf6801805f4b3b643aefda8e3f0a71d041f37e
SHA256 81f4e0d6a70f14c3e07241196bd7f5318e302c28c64ca4bb876f4e25fbc3e5d2
SHA512 333d763d6008ae56c9c2383bff20443ebbbdeca525a62b4e3b7e1acebe260f36e0d806a43f4ea8781c1600707c8bb700760771ca2e9f3c10e2af987141227c58

memory/4840-190-0x0000000000400000-0x0000000000B4E000-memory.dmp

memory/4840-191-0x0000000076250000-0x0000000076320000-memory.dmp

memory/4840-192-0x0000000077A60000-0x0000000077C22000-memory.dmp

memory/4840-193-0x0000000076250000-0x0000000076320000-memory.dmp

memory/4840-194-0x0000000076250000-0x0000000076320000-memory.dmp

memory/4840-196-0x0000000077A60000-0x0000000077C22000-memory.dmp

memory/4840-197-0x0000000077A60000-0x0000000077C22000-memory.dmp

memory/1320-203-0x0000000073B20000-0x000000007420E000-memory.dmp

memory/4840-204-0x0000000000400000-0x0000000000B4E000-memory.dmp

memory/4840-205-0x00000000050F0000-0x00000000055EE000-memory.dmp

memory/4840-206-0x0000000005010000-0x00000000050A2000-memory.dmp

memory/4840-207-0x00000000055F0000-0x00000000057B2000-memory.dmp

memory/4840-208-0x00000000057C0000-0x0000000005836000-memory.dmp

memory/4840-209-0x0000000005860000-0x00000000058B0000-memory.dmp

memory/4840-210-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/4840-211-0x0000000005FD0000-0x0000000005FFE000-memory.dmp

memory/4840-212-0x0000000006000000-0x0000000006038000-memory.dmp

memory/4840-213-0x0000000006490000-0x00000000069BC000-memory.dmp

memory/4840-214-0x0000000006AC0000-0x0000000006ADE000-memory.dmp

memory/4840-216-0x0000000000400000-0x0000000000B4E000-memory.dmp

memory/4840-217-0x0000000076250000-0x0000000076320000-memory.dmp

memory/4840-218-0x0000000076250000-0x0000000076320000-memory.dmp

memory/4840-219-0x0000000077A60000-0x0000000077C22000-memory.dmp

memory/4840-220-0x0000000076250000-0x0000000076320000-memory.dmp