General

  • Target

    82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

  • Size

    918KB

  • Sample

    230902-fhbe7sbb3s

  • MD5

    98628dba1be12d83b13f1b2bd25d85b6

  • SHA1

    e5ade0031e4f6b4a67189010dcb1fc015a7ad5ef

  • SHA256

    82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

  • SHA512

    789c5111f2c00caf2e10faa49834766d8731fc7d0efdbfeccdae1ac11180680f001e3254ac0b6fc4bf69449c1d61761a7990fce907605969a093408a668886f1

  • SSDEEP

    24576:TdO/YtNyqi2tAlwYZAVBHPXvkUNF3PEjVwaxG:gkNA2aW8ADP/1fiVwaxG

Malware Config

Extracted

Family

amadey

Version

3.83

C2

5.42.65.80/8bmeVwqx/index.php

Attributes
  • install_dir

    207aa4515d

  • install_file

    oneetx.exe

  • strings_key

    3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Extracted

Family

redline

Botnet

010923

C2

happy1sept.tuktuk.ug:11290

Attributes
  • auth_value

    8338bf26f599326ee45afe9d54f7ef8e

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Targets

    • Target

      82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

    • Size

      918KB

    • MD5

      98628dba1be12d83b13f1b2bd25d85b6

    • SHA1

      e5ade0031e4f6b4a67189010dcb1fc015a7ad5ef

    • SHA256

      82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30

    • SHA512

      789c5111f2c00caf2e10faa49834766d8731fc7d0efdbfeccdae1ac11180680f001e3254ac0b6fc4bf69449c1d61761a7990fce907605969a093408a668886f1

    • SSDEEP

      24576:TdO/YtNyqi2tAlwYZAVBHPXvkUNF3PEjVwaxG:gkNA2aW8ADP/1fiVwaxG

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks