Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fd991242964f1d851fc1277658d40a357c87e2032d813ec86ad3503fd40d7db3

  • Size

    1.8MB

  • Sample

    240420-yrjr2shb3x

  • MD5

    4f924d31ec92af6ef6250e7723f098e0

  • SHA1

    f3c6119a04b8266d3b13363f5bb82c4190a5f626

  • SHA256

    fd991242964f1d851fc1277658d40a357c87e2032d813ec86ad3503fd40d7db3

  • SHA512

    ec27b19fff72acec46a49c6c3043c1d8ea34c8b00891656bafab46ff2ea6aad7c4a4c7aeb8f592e796106a977ef48939826512ccc6c227e7fc5eca79aa9faa63

  • SSDEEP

    24576:Uj4nOe4ELs64tQaGkM72fJyFzdnhxln+XoTwzZfy4iwRqf1atqzfry7q0D3VB4:U8Pps6cdM72fJwhx5+nzVysmaqzjURB

Score
10/10
amadeyxehookevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • install_dir

    4d0ab15804

  • install_file

    chrosha.exe

  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Extracted

Family

xehook

C2

https://unotree.ru/

https://aiwhcpoaw.ru/

Targets

    • Target

      fd991242964f1d851fc1277658d40a357c87e2032d813ec86ad3503fd40d7db3

    • Size

      1.8MB

    • MD5

      4f924d31ec92af6ef6250e7723f098e0

    • SHA1

      f3c6119a04b8266d3b13363f5bb82c4190a5f626

    • SHA256

      fd991242964f1d851fc1277658d40a357c87e2032d813ec86ad3503fd40d7db3

    • SHA512

      ec27b19fff72acec46a49c6c3043c1d8ea34c8b00891656bafab46ff2ea6aad7c4a4c7aeb8f592e796106a977ef48939826512ccc6c227e7fc5eca79aa9faa63

    • SSDEEP

      24576:Uj4nOe4ELs64tQaGkM72fJyFzdnhxln+XoTwzZfy4iwRqf1atqzfry7q0D3VB4:U8Pps6cdM72fJwhx5+nzVysmaqzjURB

    Score
    10/10
    amadeyxehookevasionspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Xehook Payload

    • Xehook stealer

      Xehook is an infostealer written in C#.

      stealerxehook

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks