Overview

overview

10

Static

static

1

files/Setup.exe

windows7-x64

10

files/Setup.exe

windows10-2004-x64

10

files/Setup.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    files.zip

  • Size

    14.8MB

  • Sample

    240618-x2ncjsvdnh

  • MD5

    53fa5a7d4d0c2e9a070798baa3f70dac

  • SHA1

    a7eb858867e443c051ba4bbe9fcb437a552aea0e

  • SHA256

    bb69ef3c30364a122b6bb6a9a35383eb20fc944385ae8cce332b85ae11c32106

  • SHA512

    10ead84cc8155cfaa72288916054ebae6c6e8c4c647a9ef7a8a4b49da36aebadff1918883d3cbe69449c871aec88b842c19439fcb095f4f6ced5166ba0ba1448

  • SSDEEP

    393216:7dPUs09wbsbAXGhOJlkVPpPQDOfOMLSA/Y8:657boi82BYm9Q8

Score
10/10
amadeystealcvidarxmrigffb1b9discoveryminerpersistenceprivilege_escalationspywarestealertrojanupx

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

C2

http://proresupdate.com

Attributes
  • install_dir

    4bbb72a446

  • install_file

    Hkbsse.exe

  • strings_key

    1ebbd218121948a356341fff55521237

  • url_paths

    /h9fmdW5/index.php

rc4.plain

Targets

    • Target

      files/Setup.exe

    • Size

      316KB

    • MD5

      c637e5ecf625b72f4bef9d28cd81d612

    • SHA1

      a2c1329d290e508ee9fd0eb81e7f25d57e450f8c

    • SHA256

      111c56593668be63e1e0c79a2d33d9e2d49cdf0c5100663c72045bc6b76e9fe6

    • SHA512

      727d78bab4fab3674eec92ca5f07df6a0095ab3b973dd227c599c70e8493592bb53bb9208cc6270713283ef0065acfad3203ddcf4dcb6d43f8727f09ceaaf2e4

    • SSDEEP

      6144:VzsRSKkhKKXDD2mTLGxelHJ+SBae3VFpSX:6VkhZWEGxelH0SBtfpS

    Score
    10/10
    stealcvidarpersistenceprivilege_escalationstealeramadeyxmrigffb1b9discoveryminerspywaretrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks