Overview

overview

10

Static

static

10

soso.exe

windows10-2004-x64

10

Resubmissions

03-09-2023 16:21

230903-ttw3yaah91 10

03-09-2023 16:18

230903-tr9w1sah9x 10

03-09-2023 16:14

230903-tpye7sbd64 10

03-09-2023 15:51

230903-tazdysbd34 10

03-09-2023 15:43

230903-s6daxsbc96 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    soso.exe

  • Size

    307KB

  • Sample

    230903-tr9w1sah9x

  • MD5

    55f845c433e637594aaf872e41fda207

  • SHA1

    1188348ca7e52f075e7d1d0031918c2cea93362e

  • SHA256

    f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

  • SHA512

    5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

  • SSDEEP

    6144:GUG2bcUH6Z0+ReEjhVsJgAmkMAIeuudb8MT8AOacOZS:GU9bIeEdVsJqeuudbFT8SZS

Score
10/10
amadeyfabookieredline010923evasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

79.137.192.18/9bDc8sQ/index.php

Attributes
  • install_dir

    577f58beff

  • install_file

    yiueea.exe

  • strings_key

    a5085075a537f09dec81cc154ec0af4d

rc4.plain

Extracted

Family

redline

Botnet

010923

C2

happy1sept.tuktuk.ug:11290

Attributes
  • auth_value

    8338bf26f599326ee45afe9d54f7ef8e

Targets

    • Target

      soso.exe

    • Size

      307KB

    • MD5

      55f845c433e637594aaf872e41fda207

    • SHA1

      1188348ca7e52f075e7d1d0031918c2cea93362e

    • SHA256

      f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

    • SHA512

      5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

    • SSDEEP

      6144:GUG2bcUH6Z0+ReEjhVsJgAmkMAIeuudb8MT8AOacOZS:GU9bIeEdVsJqeuudbFT8SZS

    Score
    10/10
    amadeyfabookieredline010923evasioninfostealerspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks