Resubmissions
22-05-2024 00:08
240522-ae8cwaee3v 10General
-
Target
NordVPN-10_11.zip
-
Size
217.6MB
-
Sample
240522-ae8cwaee3v
-
MD5
dc4f1a240f8a940977284ce77f876439
-
SHA1
6b013a62e9d0d511256f69abc4ded33c7f291772
-
SHA256
3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967
-
SHA512
f92f00734f19c669c26febe8e227d7a2f3f23b901e21c9a9ec19ad9e4aac9863c9ef32f03b8d646ec4a4e1d67769d833012698c0d720a049f0c9af342d3f29c1
-
SSDEEP
6291456:a74mfEYvZivD8HFBsPzmG9yGvaOBdUFyHZJMLpQm:a7fEYvRlBsPzmG9P3BdTDMLD
Malware Config
Extracted
amadey
4.19
28ef06
http://185.196.10.188
http://45.159.189.140
http://89.23.103.42
-
install_dir
b4e248fdbd
-
install_file
Dctooux.exe
-
strings_key
01edd7c913096383774168b5aeebc95e
-
url_paths
/hb9IvshS/index.php
/hb9IvshS2/index.php
/hb9IvshS3/index.php
Targets
-
-
Target
Launcher.dll
-
Size
2KB
-
MD5
32e7556ff4f5256d15e1fc843cee5e3d
-
SHA1
b7283061428e9ca741c26dcfc3e869e2fc699f0b
-
SHA256
b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278
-
SHA512
d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e
Score1/10 -
-
-
Target
Launcher.exe
-
Size
364KB
-
MD5
93fde4e38a84c83af842f73b176ab8dc
-
SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8
-
SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
-
SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
-
SSDEEP
6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Start PowerShell.
-
Creates new service(s)
-
Stops running service(s)
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
data/HzkTNOg6s1em
-
Size
50KB
-
MD5
7038dc43406aaa195889f20880cb49a4
-
SHA1
2d398e6d8187c33cf00d10a96ddd32fd4218d94b
-
SHA256
9b74b2cbc8ec3b2cfbf9f6f6c20f5f90576f8bb9c44fe5a8ed0109aa97f21bcb
-
SHA512
9254fc4d470cfb633b98a748993b0bbc40f0ea0c2163ca56c2b99ab3c5700e978be200c99bc9be6f516ced04331391053dbe90b03e8d8844f0edd785b82f67a7
-
SSDEEP
1536:gboSBtdpjqVkGRKA/hTsG7sg72LavYGWC0e+gU0:gbogtP0RKA/Jsg7KeYGKe+gU0
Score3/10 -
-
-
Target
data/appInfo/UqYyr4PZlPm4
-
Size
150KB
-
MD5
97faa935235531bac529a1eb0a533df1
-
SHA1
0cdbcf1d9534b593a5cb33843a9e8d0445c91f97
-
SHA256
d8df009acf37dd59649a8f618b8e16ba67cace1746f86fab120715399f7c2890
-
SHA512
6d3b680de730e83921452cf48c0d11062710d26d371076a3406ab7b36294d510b47cfcae80996381c06606636637eea5a55f8d79a38ad88f4a4364d397aa0cf9
-
SSDEEP
3072:8FWJgA0YaAcuTjzDaa5WrTS2R+TlpFczpa9Ikmeiqe6Ix2EeJg2xb:88Fc4b4EpFczpa4+Eei2p
Score3/10 -
-
-
Target
data/appInfo/Zxph8ZShJw5c
-
Size
110KB
-
MD5
5249241ac29cdb71e1b4caad76149444
-
SHA1
f35ec18fcdc29885b028e2d5de7305d9b62088df
-
SHA256
cff4d04b160809cbc331713287f910d0bfba2bab205c655e58a3c847f6229a2c
-
SHA512
28c51d9c9330e7e82f56362d9601ebbe2aee4ea81a6a684ce0acd4f583a17db68a580ba8e723581199904eedd4c0ef6ba8e9bd7fdd01309de39ec20c4685aeb0
-
SSDEEP
3072:cpKcc3xtAjk2y/x92hYpXzoLtj6u8UtQAJ7+6X6e:cpKcitAI2yHGYtzoLtjRtQAJZXJ
Score3/10 -
-
-
Target
data/appInfo/services/Launhcer.dll
-
Size
2KB
-
MD5
7de0541eb96ba31067b4c58d9399693b
-
SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244
-
SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e
-
SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3
Score1/10 -
-
-
Target
data/appInfo/services/Launhcer.exe
-
Size
364KB
-
MD5
e5c00b0bc45281666afd14eef04252b2
-
SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758
-
SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
-
SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387
-
SSDEEP
6144:+pS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYql6wrEJWPYg:+p8KLBzQ7Lcf3SiQs2FTTql9unNrkv75
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
data/appInfo/services/WinRAR.exe
-
Size
2.1MB
-
MD5
f59f4f7bea12dd7c8d44f0a717c21c8e
-
SHA1
17629ccb3bd555b72a4432876145707613100b3e
-
SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
-
SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c
-
SSDEEP
49152:2oJAPtSHWxwJWzkDVkwg5NYUzNjteyUHBdH3y005:2ZAHWSxkfNNte9BpCN
Score4/10 -
-
-
Target
data/appInfo/services/data/Launcher.dll
-
Size
6KB
-
MD5
f58866e5a48d89c883f3932c279004db
-
SHA1
e72182e9ee4738577b01359f5acbfbbe8daa2b7f
-
SHA256
d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12
-
SHA512
7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177
-
SSDEEP
96:b0bb/xXjs8XNeWeQUjCq61hl+L08Nuz+570phTlA8cP:bC/xXo89eWidohls7wK70vTlPcP
Score1/10 -
-
-
Target
data/appInfo/services/data/Launcher.exe
-
Size
364KB
-
MD5
93fde4e38a84c83af842f73b176ab8dc
-
SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8
-
SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
-
SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
-
SSDEEP
6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
data/appInfo/services/wget.exe
-
Size
4.9MB
-
MD5
8c04808e4ba12cb793cf661fbbf6c2a0
-
SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3
-
SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272
-
SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f
-
SSDEEP
98304:bHObnQdOb3OWEqNHeHq6PdOnS8SOGdVilQeHPpXF0aGOVxuGqYE6hpAl/70pzd+Z:bHInQ5WE2HeHq61OJSOGdVilQeHPpXFA
Score1/10 -
-
-
Target
data/tAoMyd4BMpNH
-
Size
20KB
-
MD5
4be6bf24534cfb6c0a3309b2c89fd76e
-
SHA1
fa5f53bad3abb3cf9ab2741d7293e89b10948061
-
SHA256
dcb5b0980c7892a3204cf08c61d143cc0fcfdf65607fb319dbec4911a329ecd9
-
SHA512
5ef457259af9d65c03d29b4414fec1d304c42f83a9e6e3164c5aa61c296d68f8a8735fc3db89939dbc51eebb421b620f2eb05d109f9b09fb41e81e9d7562c6e0
-
SSDEEP
384:iCesm0WsTFWIfj6d5KtzwIRqCKfHshMdWcP3p4NeL99Cv+oAEzqBjf3H6iN:iCu0L5WIUqzvwC0MhMpP3Z4zqV6iN
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
3System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1