Overview

overview

10

Static

static

1

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    @^FulLFile_PCSetup_33221_ṔḁṨSKey_^$.rar

  • Size

    9.1MB

  • Sample

    240618-p7t4aaydqp

  • MD5

    0c5e4050a2bb911ee225ea0b40f6a0ac

  • SHA1

    4672c909786cfa77ccd1c4350073a09ac3e1b023

  • SHA256

    6482c2b99f55cd9be24f6653dc9f63a43442ac7872dafb5364833c7ca20ecb25

  • SHA512

    136079a603ec01fd43ad785997059464a4a86f46d2ac0eb9828c8960663df47dddb69fe2e2869f67ad7baff6e0433c97cbea8f0119e09cc65d8355f9d1db4dfc

  • SSDEEP

    196608:sOIcnX5QaQIWC5SUNecTfwHGU3/R6oK7FW:sORniaQDC5zzWXgl7FW

Score
10/10
amadeystealcvidarxmrigffb1b9discoveryminerpersistenceprivilege_escalationspywarestealertrojanupx

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

C2

http://proresupdate.com

Attributes
  • install_dir

    4bbb72a446

  • install_file

    Hkbsse.exe

  • strings_key

    1ebbd218121948a356341fff55521237

  • url_paths

    /h9fmdW5/index.php

rc4.plain

Targets

    • Target

      Setup.exe

    • Size

      5.5MB

    • MD5

      ae697c5f8ef74fbe8daf09358afd9324

    • SHA1

      8e18a9ee76df13daa5cfaf079872c77a25f15338

    • SHA256

      4fc64e114f80ce755040ac2891bd1fab0492a831177491f3fe1382adf94030f9

    • SHA512

      6f2bdd0c9d746218ab8c215e7d9fe1acaaf39763077eaf1a03754acb4d8ccfd518b052d98675ebf0233bbd3aa87ceffe1ffcdc14219b0a6f308d84a978a5f23a

    • SSDEEP

      49152:mUWKwBCwZwchtBQmK2OMaKoEL+4V1njSYu65d8OtZUyZZlACMtUJoiIUCNPoBkYe:41BCwZwc5QfKRL+wfdhBWCdxA

    Score
    10/10
    stealcvidarpersistenceprivilege_escalationstealeramadeyxmrigffb1b9discoveryminerspywaretrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks