Overview

overview

10

Static

static

3

mtk.exe

windows7-x64

10

mtk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mtk.exe

  • Size

    3.8MB

  • Sample

    231025-fah53sea99

  • MD5

    0f9599d3ddf1e0c8f818d384ee8d0d19

  • SHA1

    2ca17aef38df0c00efa49b4b448c5f8343725c2f

  • SHA256

    a98aec4a39f5f5ee41280cb17d9b4b5e9bc1eea2fb2ff0d7a962e2b74464d67c

  • SHA512

    7c41c8bf3cadf94f14c25b1e85f3d56a4d39918b1b3718d3f8a284164dc02eb2643ebc28069c1bb7e84adaac41211c52f5e47fa10b86e797c64a6d4cfa0efbf7

  • SSDEEP

    49152:F0BKpXaVwQ5isgxUX+E5ZQcK2mqyxlb+oYLTL2QZnDNR0t62zm33Nar:Z7UwuyJYXL2QZDCzK3Nar

Score
10/10
amadeymimikatzneshtastrongpitythanosevasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

2.03

Attributes
  • install_dir

    3101f8f780

  • install_file

    gbudn.exe

  • strings_key

    98efc0765f4c223e79368db4c8650353

rc4.plain

Targets

    • Target

      mtk.exe

    • Size

      3.8MB

    • MD5

      0f9599d3ddf1e0c8f818d384ee8d0d19

    • SHA1

      2ca17aef38df0c00efa49b4b448c5f8343725c2f

    • SHA256

      a98aec4a39f5f5ee41280cb17d9b4b5e9bc1eea2fb2ff0d7a962e2b74464d67c

    • SHA512

      7c41c8bf3cadf94f14c25b1e85f3d56a4d39918b1b3718d3f8a284164dc02eb2643ebc28069c1bb7e84adaac41211c52f5e47fa10b86e797c64a6d4cfa0efbf7

    • SSDEEP

      49152:F0BKpXaVwQ5isgxUX+E5ZQcK2mqyxlb+oYLTL2QZnDNR0t62zm33Nar:Z7UwuyJYXL2QZDCzK3Nar

    Score
    10/10
    amadeymimikatzneshtastrongpitythanosevasionpersistenceransomwarespywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Neshta payload

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • StrongPity

      StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

      stealerspywarestrongpity

    • StrongPity Spyware

    • Thanos Ransomware

      Ransomware-as-a-service (RaaS) sold through underground forums.

      ransomwarethanos

    • Thanos executable

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Winexe tool used by Sofacy APT in several incidents

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Tasks