Overview

overview

10

Static

static

3

bf550e571e...73.exe

windows7-x64

10

bf550e571e...73.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73.zip

  • Size

    2.2MB

  • Sample

    240502-teq85sed52

  • MD5

    75ddfd842e1ec068f377e7d7a34977a0

  • SHA1

    61657ceeeb6212fdc454ece9e8af823d833ab936

  • SHA256

    740ba0e428f5acd5a76ef31eed8fa08b4859d4470981c823324e9e92d3811d56

  • SHA512

    03808627530c301f9ab00cdc2305cea01becfde901d38a9d15a947262f2ceaba315bfc5d1f860afa5c1de11471900e6fa970709be4fa396b1381655d6295679e

  • SSDEEP

    49152:3jO5ovVBzjzWqOBeFa4aJDgyZGmtmBLrkpRIFp+pvmRn9CqB9oeJC:3jlNdzAlbGyZJmBLkC+Cn9CE9oeJC

Score
10/10
amadeyriseprocollectiondiscoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

risepro

C2

147.45.47.93:58709

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes
  • install_dir

    5454e6f062

  • install_file

    explorta.exe

  • strings_key

    c7a869c5ba1d72480093ec207994e2bf

  • url_paths

    /sev56rkm/index.php

rc4.plain

Targets

    • Target

      bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73.exe

    • Size

      2.3MB

    • MD5

      34e7c2c1e0405d08e397c9ff472c1229

    • SHA1

      9383381a26fbf83ee5f6bec12b8c2f4aac6b2079

    • SHA256

      bf550e571ef0bf5b24387f59769ba89e05c0b5ad42e23f01f0bae341517c6e73

    • SHA512

      cf28db337a3e2a9103e532b66977495a00830ec664a1ed254510071bba07498e58137109dfe215f0768ef9e846b8b57b5b014a516d140265e0a3c3b0f875df91

    • SSDEEP

      49152:9GY5918NqwTEgTcQ7S6fgWTLUU2LPP7y6q7jtaN3zNJBUcx:ihTPxIWUdPPW6qwDpUc

    Score
    10/10
    riseprocollectiondiscoveryevasionpersistencespywarestealeramadeythemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks