Overview

overview

10

Static

static

3

JC_82ecd2b...30.exe

windows7-x64

10

JC_82ecd2b...30.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JC_82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

  • Size

    918KB

  • Sample

    230901-x2sx2aha7z

  • MD5

    98628dba1be12d83b13f1b2bd25d85b6

  • SHA1

    e5ade0031e4f6b4a67189010dcb1fc015a7ad5ef

  • SHA256

    82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

  • SHA512

    789c5111f2c00caf2e10faa49834766d8731fc7d0efdbfeccdae1ac11180680f001e3254ac0b6fc4bf69449c1d61761a7990fce907605969a093408a668886f1

  • SSDEEP

    24576:TdO/YtNyqi2tAlwYZAVBHPXvkUNF3PEjVwaxG:gkNA2aW8ADP/1fiVwaxG

Score
10/10
amadeyfabookielaplasredline010923clipperdiscoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.83

C2

5.42.65.80/8bmeVwqx/index.php

Attributes
  • install_dir

    207aa4515d

  • install_file

    oneetx.exe

  • strings_key

    3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Extracted

Family

redline

Botnet

010923

C2

happy1sept.tuktuk.ug:11290

Attributes
  • auth_value

    8338bf26f599326ee45afe9d54f7ef8e

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Targets

    • Target

      JC_82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

    • Size

      918KB

    • MD5

      98628dba1be12d83b13f1b2bd25d85b6

    • SHA1

      e5ade0031e4f6b4a67189010dcb1fc015a7ad5ef

    • SHA256

      82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

    • SHA512

      789c5111f2c00caf2e10faa49834766d8731fc7d0efdbfeccdae1ac11180680f001e3254ac0b6fc4bf69449c1d61761a7990fce907605969a093408a668886f1

    • SSDEEP

      24576:TdO/YtNyqi2tAlwYZAVBHPXvkUNF3PEjVwaxG:gkNA2aW8ADP/1fiVwaxG

    Score
    10/10
    amadeyfabookiespywarestealertrojanlaplasredline010923clipperdiscoveryevasioninfostealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

      stealerclipperlaplas

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks