Overview

overview

10

Static

static

3

amers.exe

windows7-x64

10

amers.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    amers.exe

  • Size

    792KB

  • Sample

    240204-h13craeeem

  • MD5

    86e90a0e4fe2f98f8f2478324ade935f

  • SHA1

    0e2bac43f7b2b302c1448e253c0d26aeea4bded0

  • SHA256

    71b221f5f267ec6c822d1c47a7d00900e617221b5dc7a2eee79bf8cf11de2b13

  • SHA512

    ac54d5b6234ea189fdeafc5de6f445d9cc62b25569642f321e7766e8cf5a73d020b5a6bf345546ba4e4c52557939b847ff0861cbee8b5bf47dce2e10fb9fc89b

  • SSDEEP

    24576:8YKy8eYf8HnawQ8RHW/nSka9QZbmNrU0W0Ru8PqF:l8eYUHnal8R2/Ska9QZSgug8Pq

Score
10/10
amadeyredlineriseproxmrigzgrat1@oleh_ps@oni912@pixelscloudevasioninfostealerminerpersistenceratstealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes
  • install_dir

    d887ceb89d

  • install_file

    explorhe.exe

  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

amadey

C2

http://185.215.113.68

Attributes
  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@oni912

C2

45.15.156.209:40481

Extracted

Family

risepro

C2

65.109.90.47:50500

193.233.132.62:50500

Extracted

Family

redline

Botnet

@PixelsCloud

C2

94.156.67.230:13781

Extracted

Family

redline

Botnet

@oleh_ps

C2

185.172.128.33:8924

Extracted

Family

redline

Botnet

1

C2

92.222.212.74:1450

Targets

    • Target

      amers.exe

    • Size

      792KB

    • MD5

      86e90a0e4fe2f98f8f2478324ade935f

    • SHA1

      0e2bac43f7b2b302c1448e253c0d26aeea4bded0

    • SHA256

      71b221f5f267ec6c822d1c47a7d00900e617221b5dc7a2eee79bf8cf11de2b13

    • SHA512

      ac54d5b6234ea189fdeafc5de6f445d9cc62b25569642f321e7766e8cf5a73d020b5a6bf345546ba4e4c52557939b847ff0861cbee8b5bf47dce2e10fb9fc89b

    • SSDEEP

      24576:8YKy8eYf8HnawQ8RHW/nSka9QZbmNrU0W0Ru8PqF:l8eYUHnal8R2/Ska9QZSgug8Pq

    Score
    10/10
    amadeyredlinexmrig@oni912evasioninfostealerminerpersistencetrojanupxriseprozgrat1@oleh_ps@pixelscloudratstealer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect ZGRat V1

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks