General

  • Target

    daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

  • Size

    1.2MB

  • Sample

    231005-ffzd9agg4x

  • MD5

    85a914f6400f14e001b8102742f3191b

  • SHA1

    49ab27ab30e6bfa5d9432aefefac32e108befcab

  • SHA256

    daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

  • SHA512

    c46f000d8998ac02b5ee858cfeefaf709169949f9b35fb74ae5e5c79fe6c810472cbd64c78a3f354adaca9d33aaa1be5e1f0c4048336893bd1501c1a3d63e9ce

  • SSDEEP

    24576:1ALvx6r2VNpnwz+dDM4PKul7UD1cnCjQIEaCo7nfkvqVJN2L:Mvx6SVNLdDM4fqKCjx98SVJA

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes
  • install_dir

    1ff8bec27e

  • install_file

    nhdues.exe

  • strings_key

    2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Extracted

Family

vidar

Version

5.9

Botnet

4841d6b1839c4fa7c20ecc420b82b347

C2

https://steamcommunity.com/profiles/76561199557479327

https://t.me/grizmons

Attributes
  • profile_id_v2

    4841d6b1839c4fa7c20ecc420b82b347

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 OPR/104.0.0.0

Targets

    • Target

      daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

    • Size

      1.2MB

    • MD5

      85a914f6400f14e001b8102742f3191b

    • SHA1

      49ab27ab30e6bfa5d9432aefefac32e108befcab

    • SHA256

      daf969ecb631e937d67df09267ac5f9bfcd533b0d5c5ddabc1a7f6148d560c95

    • SHA512

      c46f000d8998ac02b5ee858cfeefaf709169949f9b35fb74ae5e5c79fe6c810472cbd64c78a3f354adaca9d33aaa1be5e1f0c4048336893bd1501c1a3d63e9ce

    • SSDEEP

      24576:1ALvx6r2VNpnwz+dDM4PKul7UD1cnCjQIEaCo7nfkvqVJN2L:Mvx6SVNLdDM4fqKCjx98SVJA

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Modifies boot configuration data using bcdedit

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks