Overview

overview

10

Static

static

3

0771ddc151...94.exe

windows7-x64

10

0771ddc151...94.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0dbaff61a0d7eb35c23542fe980c8e30.bin

  • Size

    1.6MB

  • Sample

    231026-bgzdesad65

  • MD5

    1a556ee80fcf6d537f624ae11a9190a0

  • SHA1

    2369322c271fb9f23127f6b75c363523f9fd19fd

  • SHA256

    06faa5e61d3a3fc1e22b02ef6e2045e8f95e209190a98810b486f49bcf1bd1ad

  • SHA512

    86ec93c911e03527599dbe31fbb6b8dc8503ee5cae3ec0e9b537aa647e0390574718426520472d173e35aca1c647e190ee4428273a2b67e14969db35acfc6ab4

  • SSDEEP

    24576:XH+OK+UCMckBz9Oz8CaV3pua1FUrF/Vt4+YQfdppsF+9l5D33:4+UV5GatnMrK/QWUN

Score
10/10
amadeyardamaxazorultmimikatzneshtastrongpityinfostealerkeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

2.03

Attributes
  • install_dir

    3101f8f780

  • install_file

    gbudn.exe

  • strings_key

    98efc0765f4c223e79368db4c8650353

rc4.plain

Extracted

Family

azorult

C2

http://benchadcrd.nl/gate.php

Targets

    • Target

      0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe

    • Size

      4.0MB

    • MD5

      0dbaff61a0d7eb35c23542fe980c8e30

    • SHA1

      a65bce229a1f0143c6f5c86a205da15d74652335

    • SHA256

      0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594

    • SHA512

      d59cc95efbb06b98b32ab0f52596aad4cf8b72a2390cddee8237301ee284995421fe98aff13a967db34d49759feaeac51f76e23d4d49397ef81fb003075adfc7

    • SSDEEP

      49152:5hkVUncRtu1kPxXzEgDH/0nl0efk6e4Ath5+hY7hYKJ+NFK2Z0N/eEDNIGuWFlva:qxJDhlEF0N/e06Wrghxt

    Score
    10/10
    amadeymimikatzneshtastrongpitypersistencespywarestealertrojanupxardamaxazorultinfostealerkeylogger

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Neshta payload

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • StrongPity

      StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.

      stealerspywarestrongpity

    • StrongPity Spyware

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Winexe tool used by Sofacy APT in several incidents

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks