General

  • Target

    ^@l@tEst_SetUp_2025__P@ssCodE@^.zip

  • Size

    7.4MB

  • Sample

    240618-x451dayhmk

  • MD5

    5d4e29d57fc0747eb4021385b93b5b12

  • SHA1

    e57575342a64150fc768e6f16672e72f3171afc9

  • SHA256

    83c0c6ee5015ea0fef17e099e4b8f4ab923009349b6a0571a7fa1cc2502cc8f5

  • SHA512

    fb04b7a2fb23fa565d121f42fa0e1a1cb1921ea42edb31aab36fd67b78409515528354c2c0c88688c01961cb8fe787ec0e19ed3ff05793e966aa9a8de80fdae7

  • SSDEEP

    196608:h/7cUKiLYRFY5zHksiwZP2dqPWIlfaFcyNC//Q:hjcUKiLYHcQQ4kOIWgw

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

C2

http://proresupdate.com

Attributes
  • install_dir

    4bbb72a446

  • install_file

    Hkbsse.exe

  • strings_key

    1ebbd218121948a356341fff55521237

  • url_paths

    /h9fmdW5/index.php

rc4.plain

Targets

    • Target

      ^@l@tEst_SetUp_2025__P@ssCodE@^/Setup.exe

    • Size

      293KB

    • MD5

      d9602ab0e6370519bd54d13d22dd6ef5

    • SHA1

      95a3a7afdb00e1b2a99fddfe5d3203aa5cd4a09d

    • SHA256

      63ec17feda1f0ea80e0dd7b7938fbf7354aedf8d9f4041543afca9a35337f7bf

    • SHA512

      4587ca630bf5e421e48d5ac7f9ac6866000b06a99d89c1ca31c999414a63ba06a6be2e11467c045b0e2cddb21d792342e69977e6abda6e265b91044e2c8007cd

    • SSDEEP

      6144:jFnHaRGVUA2LOPQNk1Ekle0SnYBV+MiySwq+Q+KxwpwF1oPOmYjeTV4jog:ZnHaRPKIk1Ekle0SQq+Q+OwpwnV4g

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

4
T1005

Tasks