Resubmissions

29-02-2024 02:14

240229-cpakpsbc64 10

28-02-2024 18:15

240228-wv8jgaae88 10

General

  • Target

    CSGO_Hack.zip

  • Size

    206.7MB

  • Sample

    240229-cpakpsbc64

  • MD5

    93180dd5a15bf6ccb5eea63bd0d7ffef

  • SHA1

    98a51f8a9fa1989fdb6ab1a390632216bddfb2fe

  • SHA256

    37ffba131c763e2630433b2865a8149508af32f387fb5808cfaf539815bb5077

  • SHA512

    ee0d033c0fc14ae56742a13e3ba69da429767ebf39a6232636f1fe8234aa019ad6db95b888aba6cc256b5e29d3769084205db5f7e422e8cf9ca8eb3dc4d6d442

  • SSDEEP

    3145728:QTAd+isFgs4dRrSN2FCEDK92BdwEKfAlEUuB35rJvIybESkDFLNJnAOjhg2:QGQe9dR40iAzwU7uR51IcERFLwOS2

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes
  • install_dir

    551e5e2908

  • install_file

    Dctooux.exe

  • strings_key

    40bfc938b9af6a10b5f8b3b4398e4941

  • url_paths

    /hb9IvshS/index.php

rc4.plain

Targets

    • Target

      Launcher.dll

    • Size

      2KB

    • MD5

      32e7556ff4f5256d15e1fc843cee5e3d

    • SHA1

      b7283061428e9ca741c26dcfc3e869e2fc699f0b

    • SHA256

      b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278

    • SHA512

      d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e

    Score
    1/10
    • Target

      Launcher.exe

    • Size

      364KB

    • MD5

      fea10d11d84919cb9a0a0752d61c0a66

    • SHA1

      aea3c65e2b62851b2dd112597f28379b49c58a0a

    • SHA256

      2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7

    • SHA512

      e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508

    • SSDEEP

      6144:LpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrZR5lJWPkOD:Lp8KLBzQ7Lcf3SiQs2FTTql9unNrkvzw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      data/AppInfo/RIBTwoUATqEp

    • Size

      50KB

    • MD5

      8618603555e100c4d43a2df960daf2c3

    • SHA1

      65ccc35d4362f7889d44da6df8f769aafa198c16

    • SHA256

      d88ecb816adc565e3f81cc7e66768f18f30d88c67cad231b7dca7516083964d0

    • SHA512

      10895c4058a8ea1a22f054b08dd67c826b8aba441d3ee1f64c2723b51e87edb4f22912f33b883c98fda940c007c9d90441f19dd296cdd2dd80cc7c71e147b1b0

    • SSDEEP

      1536:bmwLrmODq0OorurbxO9Pshw0IMCxbh/Tto:ywndDqjo3Wyhpo

    Score
    1/10
    • Target

      data/AppInfo/VO1DaL46eflm

    • Size

      50KB

    • MD5

      1d0cedfad1b3559078ffb9772981415b

    • SHA1

      c7220efab0b1dc37b6b1717d7382ebc919253c06

    • SHA256

      c0ae8f2a566240fdcdc8ba416f99e27247214b64a648f732eea84b5ef6978fee

    • SHA512

      a12928a9fd53fc2718ac4fd872569e9088b1242640a2d37cd13f21f6cc6e8ea3906b4ffccc77f3fdd4896ff816799ebbd07c6de7096d78a7cdf66057f770ceae

    • SSDEEP

      1536:SaJ9buo03tki4A5wotvNiPVX1d06y42SxsJWW:tJTEuq5wotVitld0vSxsZ

    Score
    1/10
    • Target

      data/AppInfo/WtFlkRqeJ61k

    • Size

      50KB

    • MD5

      a239a256cd1644ab6b0fc27737abfe7e

    • SHA1

      fc2af8211c890dd60c54f036990f39fa017924bc

    • SHA256

      1ef1b461ebda6c768d2f891f349a43321fc9cdc730195149ee8af6891cb694b9

    • SHA512

      29eeec13bdf152c5c71d312a446b31019eed05f6db5b4e3f40796c458a47f6de9090b344f6d2ff0eee0e32fd2f083a6ed872e85d1d5b998aef1a0008a240378a

    • SSDEEP

      768:/ieNH/5zS/QV+fMVg59utzeXcsWUR60mwms/6pet2sh/NGFCtSqyyJ+bBSpfE+f+:a+H/lqgWMVw01sWaZipetNWbBSW+L/+r

    Score
    1/10
    • Target

      data/AppInfo/Xfh5GWnGPMjT

    • Size

      55KB

    • MD5

      71692e4937b32add8bd824bffa117b5e

    • SHA1

      06f9bd0cda232b6754e92b9cbde72464238c6d09

    • SHA256

      15332ba0f7c566797841dc56aa476cec090fd1d56608b74c85e4b6a73d253cdc

    • SHA512

      a41e6c26299fc419461039fd485632e143a6f2799ec9ddbe30845e8069effbc0da0e56fe8ade5782f97a78a83aed8ae2e2eec4c160cb85c47a97ec3f6a7ec040

    • SSDEEP

      768:jFV6uGx/pnoebIbnz+iXirJrbjwFFnSCSN0o7YJliHHhPx3kDDDxLv6DnKUreNVz:jzsXf0/++iCnSCSN+J8HJx3WLSTXrEJ

    Score
    1/10
    • Target

      data/AppInfo/YwTGpGD7UtG1

    • Size

      55KB

    • MD5

      2efcd934a4050107952a971251a2ce23

    • SHA1

      33c67ae46d1ddbbbacb14d86e03299e0914dc7db

    • SHA256

      91b03b137bbb69b7ceec1ea4208ff02e24198b7b7623851b487e8ad11c251610

    • SHA512

      ca0e835d9999ad7048a80432e0aa0293ceabd1581709610ec4776176e2fca3fc89ebe564bfc4156dbf0d165ad30e08f40448e0b42c984cadc264934590cfb813

    • SSDEEP

      1536:5DzX3qUDEBlQV6/Pea1yibFYKxZ32EikLKa+i42:5DD6UDCQI3eiynKxxj+il

    Score
    1/10
    • Target

      data/AppInfo/kGCFZO6TPVYy

    • Size

      50KB

    • MD5

      e02895cc5c57887976c2695a9864411c

    • SHA1

      eeba3ddf36c87490d0286fb19e427d32c0334500

    • SHA256

      35ccaf21b1b4140a76542355264f6c310464bd3949b8bc0141f8c373e08e104e

    • SHA512

      60b08dc70d134a678b3b251b3edaa26482f0aacb57c3bd167772cd3154984ce5db13e697adfefdb3ed2ad00658e95d0f0239c1309c65684558c5f3ff335baaf2

    • SSDEEP

      768:Z2YnUceD3G+WsCv8XYs2N9+st8mi4UPU58APxhDeJekFfgWXPn:kYnUNtWUYsG9DGmP+UiYx+eAPn

    Score
    1/10
    • Target

      data/AppInfo/services/Launhcer.dll

    • Size

      2KB

    • MD5

      7de0541eb96ba31067b4c58d9399693b

    • SHA1

      a105216391bd53fa0c8f6aa23953030d0c0f9244

    • SHA256

      934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

    • SHA512

      e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

    Score
    1/10
    • Target

      data/AppInfo/services/Launhcer.exe

    • Size

      364KB

    • MD5

      e5c00b0bc45281666afd14eef04252b2

    • SHA1

      3b6eecf8250e88169976a5f866d15c60ee66b758

    • SHA256

      542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

    • SHA512

      2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

    • SSDEEP

      6144:+pS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYql6wrEJWPYg:+p8KLBzQ7Lcf3SiQs2FTTql9unNrkv75

    Score
    5/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      data/AppInfo/services/WinRAR.exe

    • Size

      2.1MB

    • MD5

      f59f4f7bea12dd7c8d44f0a717c21c8e

    • SHA1

      17629ccb3bd555b72a4432876145707613100b3e

    • SHA256

      f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

    • SHA512

      44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

    • SSDEEP

      49152:2oJAPtSHWxwJWzkDVkwg5NYUzNjteyUHBdH3y005:2ZAHWSxkfNNte9BpCN

    Score
    4/10
    • Target

      data/AppInfo/services/data/Launcher.dll

    • Size

      6KB

    • MD5

      f58866e5a48d89c883f3932c279004db

    • SHA1

      e72182e9ee4738577b01359f5acbfbbe8daa2b7f

    • SHA256

      d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

    • SHA512

      7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

    • SSDEEP

      96:b0bb/xXjs8XNeWeQUjCq61hl+L08Nuz+570phTlA8cP:bC/xXo89eWidohls7wK70vTlPcP

    Score
    1/10
    • Target

      data/AppInfo/services/data/Launcher.exe

    • Size

      364KB

    • MD5

      fea10d11d84919cb9a0a0752d61c0a66

    • SHA1

      aea3c65e2b62851b2dd112597f28379b49c58a0a

    • SHA256

      2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7

    • SHA512

      e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508

    • SSDEEP

      6144:LpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrZR5lJWPkOD:Lp8KLBzQ7Lcf3SiQs2FTTql9unNrkvzw

    Score
    5/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      data/AppInfo/services/wget.exe

    • Size

      4.9MB

    • MD5

      8c04808e4ba12cb793cf661fbbf6c2a0

    • SHA1

      bdfdb50c5f251628c332042f85e8dd8cf5f650e3

    • SHA256

      a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

    • SHA512

      9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

    • SSDEEP

      98304:bHObnQdOb3OWEqNHeHq6PdOnS8SOGdVilQeHPpXF0aGOVxuGqYE6hpAl/70pzd+Z:bHInQ5WE2HeHq61OJSOGdVilQeHPpXFA

    Score
    1/10
    • Target

      data/AppInfo/vhXDYuQByxPS

    • Size

      50KB

    • MD5

      69e8b3c7830da5c4198b328b8b7edb96

    • SHA1

      b6f34033a98dd7fc8d71aff46fe341c52c5c3b2b

    • SHA256

      88bb8308d0534b6a095a6a6e077ff5458cf64e5aeed4af9e2c699fe477062aa1

    • SHA512

      9030969249198eec69791bad27ff28e8a679ab3fab147210434e2f2b0c054f4cc0dfec3f8b55df4f03f67a690252c4387fd2bbb0da0f36a94dc02e86f787ebbe

    • SSDEEP

      768:8I09HEsnpUEW3OZrkouzHpo1WOzgcfeWiy0Xn4C6tm1neEndy+Uo:8IKnpUEPrrutogcmWmg27Uo

    Score
    1/10
    • Target

      data/BLAKEX64.DLL

    • Size

      158KB

    • MD5

      cbd662a04f272ce00461a52ae2e74a49

    • SHA1

      97cede2b282e79d9646e4b0d15e3eb666d13a613

    • SHA256

      bb997248e7b5da5b3c112ef3e2d127c300c412465d342004d3ac34d50d50fc85

    • SHA512

      354b7cbd237963382b95c537c8243efadddeed9d40c40c73c3519a5061d7e1572aa0a67d5fbc28d2fa56631bad963c28eb47d793406440e9bf0ae03f56ef0d8f

    • SSDEEP

      3072:X76r2tq8JlXY/6pOO742Mv5o8JsMxt1E:L6rgFJSu74Bv5

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

amadeyevasionpersistencetrojan
Score
10/10

behavioral4

amadeyxmrigevasionminerpersistencetrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
3/10

behavioral20

Score
5/10

behavioral21

persistence
Score
4/10

behavioral22

persistence
Score
4/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
3/10

behavioral26

Score
5/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10