Resubmissions

06-12-2023 22:51

231206-2ssccshfe2 10

06-12-2023 22:49

231206-2rqgdahfd3 3

General

  • Target

    !@#Setup-Pa$$W0rd-2024.rar

  • Size

    18MB

  • Sample

    231206-2ssccshfe2

  • MD5

    60491f605166919212aa0351ae618381

  • SHA1

    ffe9d28ee4059d07f1fd75a956002f18a1a90ee2

  • SHA256

    334dfd6a7a445f9f9276101e434202f4a044e1f5bbd2bf72a2b8ba7164cfe138

  • SHA512

    6dddb9d63edc10e7d58bb4e9f9a1d52409dcd84127fffcf542492b667277ebaec6fd13bf33d92836a2fc1476daac8dd0f97d73cf094c9f67196c523840cbafc0

  • SSDEEP

    393216:DvYV/q2OHdyVYb7VlVEH+odXdun4eSznP/TTzI+B8TaTw2bcuphX8:jYV6QVYbvVwNdun4Db38+B8eTwoz/M

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    a70b05054314f381be1ab9a5cdc8b250

  • url_paths

    /u6vhSc3PPq/index.php

rc4.plain

Extracted

Family

lumma

C2

http://gatelistcoldyeisa.pw/api

Targets

    • Target

      !@#Setup-Pa$$W0rd-2024/@#Setup-Pa$$W0rd-2024.rar

    • Size

      18MB

    • MD5

      0aeb13bb3dd0d2761e3966625faac892

    • SHA1

      a12b4adbb104ca945d248697753b4acbf054f157

    • SHA256

      0a52968fe93ad0cfde0d408dbc7e0a77c54ab01fbcc280dd4a1b3b3897c79fce

    • SHA512

      20de52f3c358735ffedcd068a1ea07d8bc66705e524362bd6c1dd1e81636b7f664b7e9d23239441d98dfcff8cbd48a2a6b0ff3bd0c5cede95acdcefdc407a34e

    • SSDEEP

      393216:ZvYV/q2OHdyVYb7VlVEH+odXdun4eSznP/TTzI+B8TaTw2bcuphXe:BYV6QVYbvVwNdun4Db38+B8eTwoz/O

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Tasks