General

  • Target

    2514ec71e8ecb604c6b979d954ddb1d63402a513912000eaa3d8d6dfa98f7441

  • Size

    5MB

  • Sample

    231206-kea3gsda75

  • MD5

    f4a5122b23d930794978c4615b0ce6d9

  • SHA1

    8e34c6a3da1d048b932c20b15fd6ba119677d57c

  • SHA256

    2514ec71e8ecb604c6b979d954ddb1d63402a513912000eaa3d8d6dfa98f7441

  • SHA512

    bc98cc58195392f944b82bdb8e246315c0b3670ec3f3ff8f44385fe14b8fdab942dc94ac87313a4c824bdb189b3b7eccb6b09e4781ebe49fb9a99f1e199a1bca

  • SSDEEP

    98304:+houLKz8ObAUvRXrrmARbgc4RS6HrHbAdMd93J7OgVNLIKORMed6KSu:+h9LKz8CXhvrRL4RS67bAd63J7vREX0

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    a70b05054314f381be1ab9a5cdc8b250

  • url_paths

    /u6vhSc3PPq/index.php

rc4.plain

Targets

    • Target

      2514ec71e8ecb604c6b979d954ddb1d63402a513912000eaa3d8d6dfa98f7441

    • Size

      5MB

    • MD5

      f4a5122b23d930794978c4615b0ce6d9

    • SHA1

      8e34c6a3da1d048b932c20b15fd6ba119677d57c

    • SHA256

      2514ec71e8ecb604c6b979d954ddb1d63402a513912000eaa3d8d6dfa98f7441

    • SHA512

      bc98cc58195392f944b82bdb8e246315c0b3670ec3f3ff8f44385fe14b8fdab942dc94ac87313a4c824bdb189b3b7eccb6b09e4781ebe49fb9a99f1e199a1bca

    • SSDEEP

      98304:+houLKz8ObAUvRXrrmARbgc4RS6HrHbAdMd93J7OgVNLIKORMed6KSu:+h9LKz8CXhvrRL4RS67bAd63J7vREX0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks