Overview

overview

10

Static

static

3

Launcher.dll

windows10-2004-x64

1

Launcher.exe

windows10-2004-x64

10

data/HzkTNOg6s1em.ps1

windows10-2004-x64

1

data/appIn...m4.ps1

windows10-2004-x64

1

data/appIn...5c.ps1

windows10-2004-x64

1

data/appIn...er.dll

windows10-2004-x64

1

data/appIn...er.exe

windows10-2004-x64

5

data/appIn...AR.exe

windows10-2004-x64

3

data/appIn...er.dll

windows10-2004-x64

1

data/appIn...er.exe

windows10-2004-x64

5

data/appIn...et.exe

windows10-2004-x64

1

data/tAoMyd4BMpNH.ps1

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NordVPN-10_11.zip

  • Size

    217.6MB

  • Sample

    240324-3ff91ada8v

  • MD5

    dc4f1a240f8a940977284ce77f876439

  • SHA1

    6b013a62e9d0d511256f69abc4ded33c7f291772

  • SHA256

    3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967

  • SHA512

    f92f00734f19c669c26febe8e227d7a2f3f23b901e21c9a9ec19ad9e4aac9863c9ef32f03b8d646ec4a4e1d67769d833012698c0d720a049f0c9af342d3f29c1

  • SSDEEP

    6291456:a74mfEYvZivD8HFBsPzmG9yGvaOBdUFyHZJMLpQm:a7fEYvRlBsPzmG9P3BdTDMLD

Score
10/10
amadeyrhadamanthysxmrigevasionminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.19

C2

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42
Attributes
  • install_dir

    b4e248fdbd

  • install_file

    Dctooux.exe

  • strings_key

    01edd7c913096383774168b5aeebc95e

  • url_paths

    /hb9IvshS/index.php

    /hb9IvshS2/index.php

    /hb9IvshS3/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

C2

http://185.196.10.188

http://89.23.103.42

http://45.159.189.140
Attributes
  • strings_key

    40bfc938b9af6a10b5f8b3b4398e4941

  • url_paths

    /hb9IvshS/index.php

rc4.plain

Targets

    • Target

      Launcher.dll

    • Size

      2KB

    • MD5

      32e7556ff4f5256d15e1fc843cee5e3d

    • SHA1

      b7283061428e9ca741c26dcfc3e869e2fc699f0b

    • SHA256

      b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278

    • SHA512

      d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e

    Score
    1/10
    behavioral1

    • Target

      Launcher.exe

    • Size

      364KB

    • MD5

      93fde4e38a84c83af842f73b176ab8dc

    • SHA1

      e8c55cc160a0a94e404f544b22e38511b9d71da8

    • SHA256

      fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

    • SHA512

      48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

    • SSDEEP

      6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

    Score
    10/10
    amadeyrhadamanthysxmrigevasionminerpersistencespywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Stops running service(s)

      evasion

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      data/HzkTNOg6s1em

    • Size

      50KB

    • MD5

      7038dc43406aaa195889f20880cb49a4

    • SHA1

      2d398e6d8187c33cf00d10a96ddd32fd4218d94b

    • SHA256

      9b74b2cbc8ec3b2cfbf9f6f6c20f5f90576f8bb9c44fe5a8ed0109aa97f21bcb

    • SHA512

      9254fc4d470cfb633b98a748993b0bbc40f0ea0c2163ca56c2b99ab3c5700e978be200c99bc9be6f516ced04331391053dbe90b03e8d8844f0edd785b82f67a7

    • SSDEEP

      1536:gboSBtdpjqVkGRKA/hTsG7sg72LavYGWC0e+gU0:gbogtP0RKA/Jsg7KeYGKe+gU0

    Score
    1/10
    behavioral3

    • Target

      data/appInfo/UqYyr4PZlPm4

    • Size

      150KB

    • MD5

      97faa935235531bac529a1eb0a533df1

    • SHA1

      0cdbcf1d9534b593a5cb33843a9e8d0445c91f97

    • SHA256

      d8df009acf37dd59649a8f618b8e16ba67cace1746f86fab120715399f7c2890

    • SHA512

      6d3b680de730e83921452cf48c0d11062710d26d371076a3406ab7b36294d510b47cfcae80996381c06606636637eea5a55f8d79a38ad88f4a4364d397aa0cf9

    • SSDEEP

      3072:8FWJgA0YaAcuTjzDaa5WrTS2R+TlpFczpa9Ikmeiqe6Ix2EeJg2xb:88Fc4b4EpFczpa4+Eei2p

    Score
    1/10
    behavioral4

    • Target

      data/appInfo/Zxph8ZShJw5c

    • Size

      110KB

    • MD5

      5249241ac29cdb71e1b4caad76149444

    • SHA1

      f35ec18fcdc29885b028e2d5de7305d9b62088df

    • SHA256

      cff4d04b160809cbc331713287f910d0bfba2bab205c655e58a3c847f6229a2c

    • SHA512

      28c51d9c9330e7e82f56362d9601ebbe2aee4ea81a6a684ce0acd4f583a17db68a580ba8e723581199904eedd4c0ef6ba8e9bd7fdd01309de39ec20c4685aeb0

    • SSDEEP

      3072:cpKcc3xtAjk2y/x92hYpXzoLtj6u8UtQAJ7+6X6e:cpKcitAI2yHGYtzoLtjRtQAJZXJ

    Score
    1/10
    behavioral5

    • Target

      data/appInfo/services/Launhcer.dll

    • Size

      2KB

    • MD5

      7de0541eb96ba31067b4c58d9399693b

    • SHA1

      a105216391bd53fa0c8f6aa23953030d0c0f9244

    • SHA256

      934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

    • SHA512

      e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

    Score
    1/10
    behavioral6

    • Target

      data/appInfo/services/Launhcer.exe

    • Size

      364KB

    • MD5

      e5c00b0bc45281666afd14eef04252b2

    • SHA1

      3b6eecf8250e88169976a5f866d15c60ee66b758

    • SHA256

      542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

    • SHA512

      2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

    • SSDEEP

      6144:+pS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYql6wrEJWPYg:+p8KLBzQ7Lcf3SiQs2FTTql9unNrkv75

    Score
    5/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7

    • Target

      data/appInfo/services/WinRAR.exe

    • Size

      2.1MB

    • MD5

      f59f4f7bea12dd7c8d44f0a717c21c8e

    • SHA1

      17629ccb3bd555b72a4432876145707613100b3e

    • SHA256

      f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

    • SHA512

      44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

    • SSDEEP

      49152:2oJAPtSHWxwJWzkDVkwg5NYUzNjteyUHBdH3y005:2ZAHWSxkfNNte9BpCN

    Score
    3/10
    behavioral8

    • Target

      data/appInfo/services/data/Launcher.dll

    • Size

      6KB

    • MD5

      f58866e5a48d89c883f3932c279004db

    • SHA1

      e72182e9ee4738577b01359f5acbfbbe8daa2b7f

    • SHA256

      d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

    • SHA512

      7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

    • SSDEEP

      96:b0bb/xXjs8XNeWeQUjCq61hl+L08Nuz+570phTlA8cP:bC/xXo89eWidohls7wK70vTlPcP

    Score
    1/10
    behavioral9

    • Target

      data/appInfo/services/data/Launcher.exe

    • Size

      364KB

    • MD5

      93fde4e38a84c83af842f73b176ab8dc

    • SHA1

      e8c55cc160a0a94e404f544b22e38511b9d71da8

    • SHA256

      fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

    • SHA512

      48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

    • SSDEEP

      6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

    Score
    5/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral10

    • Target

      data/appInfo/services/wget.exe

    • Size

      4.9MB

    • MD5

      8c04808e4ba12cb793cf661fbbf6c2a0

    • SHA1

      bdfdb50c5f251628c332042f85e8dd8cf5f650e3

    • SHA256

      a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

    • SHA512

      9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

    • SSDEEP

      98304:bHObnQdOb3OWEqNHeHq6PdOnS8SOGdVilQeHPpXF0aGOVxuGqYE6hpAl/70pzd+Z:bHInQ5WE2HeHq61OJSOGdVilQeHPpXFA

    Score
    1/10
    behavioral11

    • Target

      data/tAoMyd4BMpNH

    • Size

      20KB

    • MD5

      4be6bf24534cfb6c0a3309b2c89fd76e

    • SHA1

      fa5f53bad3abb3cf9ab2741d7293e89b10948061

    • SHA256

      dcb5b0980c7892a3204cf08c61d143cc0fcfdf65607fb319dbec4911a329ecd9

    • SHA512

      5ef457259af9d65c03d29b4414fec1d304c42f83a9e6e3164c5aa61c296d68f8a8735fc3db89939dbc51eebb421b620f2eb05d109f9b09fb41e81e9d7562c6e0

    • SSDEEP

      384:iCesm0WsTFWIfj6d5KtzwIRqCKfHshMdWcP3p4NeL99Cv+oAEzqBjf3H6iN:iCu0L5WIUqzvwC0MhMpP3Z4zqV6iN

    Score
    1/10
    behavioral12

MITRE ATT&CK Enterprise v15

Tasks