General

  • Target

    file.exe

  • Size

    273KB

  • Sample

    231005-ke97kshf6x

  • MD5

    9a4c1ffa5524000e27d735a01b5c7046

  • SHA1

    1cd6d8a903945d1b21ff4261c3c50370fc4acca1

  • SHA256

    7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

  • SHA512

    24929f0286499e683cdc7e90c95985d6e22360e5fe440990ccad17adfcf90b7eb14662f39d8d1cd42bee40f123f2fd596c4e465b15eda91a17a6699f2c4e6068

  • SSDEEP

    6144:T4UpOobfAtnh2LnXHkWNsJxlSKz0oWV8zrlSenTExmKV7qF:8UQDtnhoUashS20hizrlS2ExWF

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes
  • install_dir

    1ff8bec27e

  • install_file

    nhdues.exe

  • strings_key

    2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Targets

    • Target

      file.exe

    • Size

      273KB

    • MD5

      9a4c1ffa5524000e27d735a01b5c7046

    • SHA1

      1cd6d8a903945d1b21ff4261c3c50370fc4acca1

    • SHA256

      7cd7bf6e8ec89fecb6efbad8f40556bd1e2433b58864cec67c216bbd0bacee74

    • SHA512

      24929f0286499e683cdc7e90c95985d6e22360e5fe440990ccad17adfcf90b7eb14662f39d8d1cd42bee40f123f2fd596c4e465b15eda91a17a6699f2c4e6068

    • SSDEEP

      6144:T4UpOobfAtnh2LnXHkWNsJxlSKz0oWV8zrlSenTExmKV7qF:8UQDtnhoUashS20hizrlS2ExWF

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • UAC bypass

    • Windows security bypass

    • Downloads MZ/PE file

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks