General

  • Target

    daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

  • Size

    1.2MB

  • Sample

    231004-eaw69sha2v

  • MD5

    85a914f6400f14e001b8102742f3191b

  • SHA1

    49ab27ab30e6bfa5d9432aefefac32e108befcab

  • SHA256

    daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

  • SHA512

    c46f000d8998ac02b5ee858cfeefaf709169949f9b35fb74ae5e5c79fe6c810472cbd64c78a3f354adaca9d33aaa1be5e1f0c4048336893bd1501c1a3d63e9ce

  • SSDEEP

    24576:1ALvx6r2VNpnwz+dDM4PKul7UD1cnCjQIEaCo7nfkvqVJN2L:Mvx6SVNLdDM4fqKCjx98SVJA

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes
  • install_dir

    1ff8bec27e

  • install_file

    nhdues.exe

  • strings_key

    2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

    • Size

      1.2MB

    • MD5

      85a914f6400f14e001b8102742f3191b

    • SHA1

      49ab27ab30e6bfa5d9432aefefac32e108befcab

    • SHA256

      daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

    • SHA512

      c46f000d8998ac02b5ee858cfeefaf709169949f9b35fb74ae5e5c79fe6c810472cbd64c78a3f354adaca9d33aaa1be5e1f0c4048336893bd1501c1a3d63e9ce

    • SSDEEP

      24576:1ALvx6r2VNpnwz+dDM4PKul7UD1cnCjQIEaCo7nfkvqVJN2L:Mvx6SVNLdDM4fqKCjx98SVJA

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Sets service image path in registry

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks