General

  • Target

    fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe

  • Size

    508KB

  • Sample

    230923-yasnmabh47

  • MD5

    4a94bfa09b99674b406eefa0fc0f8c5e

  • SHA1

    583055372661a2a359586a3fc2cdbaecc951659c

  • SHA256

    fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b

  • SHA512

    6463035915777cb01b89863eaee6ffe14ea211ac3640f1a6c8bc78f2d2b3692fdee3ff427cd4e5dad6591900f62b6eeba80abe434ff23d2402f2f401fe5e0dec

  • SSDEEP

    12288:EndeNz+MiYZmsSOgetN5ONjUrhGkOjkLtxOqaF5:EnYNzECS4N5ONjUdGR6POHf

Malware Config

Targets

    • Target

      fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe

    • Size

      508KB

    • MD5

      4a94bfa09b99674b406eefa0fc0f8c5e

    • SHA1

      583055372661a2a359586a3fc2cdbaecc951659c

    • SHA256

      fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b

    • SHA512

      6463035915777cb01b89863eaee6ffe14ea211ac3640f1a6c8bc78f2d2b3692fdee3ff427cd4e5dad6591900f62b6eeba80abe434ff23d2402f2f401fe5e0dec

    • SSDEEP

      12288:EndeNz+MiYZmsSOgetN5ONjUrhGkOjkLtxOqaF5:EnYNzECS4N5ONjUdGR6POHf

    • Ammyy Admin

      Remote admin tool with various capabilities.

    • AmmyyAdmin payload

    • Detect rhadamanthys stealer shellcode

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (92) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (99) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks