Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://pwrxa.moliz....

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://pwrxa.moliz.site/rpbta

  • Sample

    240324-wras2ahc8w

Score
10/10
amadeyrhadamanthysevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.19

C2

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42
Attributes
  • install_dir

    b4e248fdbd

  • install_file

    Dctooux.exe

  • strings_key

    01edd7c913096383774168b5aeebc95e

  • url_paths

    /hb9IvshS/index.php

    /hb9IvshS2/index.php

    /hb9IvshS3/index.php

rc4.plain

Targets

    • Target

      https://pwrxa.moliz.site/rpbta

    Score
    10/10
    amadeyrhadamanthysevasionpersistencestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks