General

  • Target

    files.zip

  • Size

    8.7MB

  • Sample

    240618-xn8fkavcja

  • MD5

    13c3d528da9daeb96668f0f98cd68969

  • SHA1

    0d943aa66f33d36f7123fb2a4252334810936238

  • SHA256

    b7fd8320d8c4c416bd3f033cd7e823c71866f07c965806bbaba5699a0bbaa49e

  • SHA512

    235d3324c2dfa4930700ec03e51eba2fff7813c1dbded1d9e8a15c5a30a83cc4f0570d315c70f6e022fc2ee3c4d7df4f472e6f3206103b7116384b25fd5779c9

  • SSDEEP

    196608:x6FeJSpuuac04Wp4K1ZcRME8TKFYv7M3QgF4hsdoM+LaBe//O:x6FeJSrx04Wp4aRdOCvC4moMVYu

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

C2

http://proresupdate.com

Attributes
  • install_dir

    4bbb72a446

  • install_file

    Hkbsse.exe

  • strings_key

    1ebbd218121948a356341fff55521237

  • url_paths

    /h9fmdW5/index.php

rc4.plain

Targets

    • Target

      files/Setup.exe

    • Size

      202KB

    • MD5

      64179e64675e822559cac6652298bdfc

    • SHA1

      cceed3b2441146762512918af7bf7f89fb055583

    • SHA256

      c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

    • SHA512

      ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

    • SSDEEP

      3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    • Target

      files/WCLDll.dll

    • Size

      590KB

    • MD5

      9005812bebfcc98db95def5b1c9b96f0

    • SHA1

      d85f085c59fe8cca75352399ebc8510e2799bf68

    • SHA256

      8acf6eea851ccd43a33eee9840794b9944eed61e5be0a7c403b79d3baa48940c

    • SHA512

      c25c4eaef2d40d5294fcd2b15f3065cb3c6cad19cc5c32da4a81b20d99023dbfcccfa5fbc2d79f45892f7d858c04d956f1734d0359054fae9e609a5d604ab0b1

    • SSDEEP

      12288:i+Se970XqzxUmUkVakh1d4wJjfXB7w86ywKUc6A9iSOJ7zP8cl7ksEjwdA9iOaQ:ce97qqzxXUkckh1d4wJjfB8vywKUc6A7

    Score
    1/10
    • Target

      files/msvcp140.dll

    • Size

      427KB

    • MD5

      71a0aa2d05e9174cefd568347bd9c70f

    • SHA1

      cb9247a0fa59e47f72df7d1752424b33a903bbb2

    • SHA256

      fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

    • SHA512

      6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

    • SSDEEP

      12288:bBsEzAVPIODrCdVgI7bwv674dOzhUgiW6QR7t5s03Ooc8dHkC2esy2n:9s8AVwOU7bwTdt03Ooc8dHkC2en2n

    Score
    3/10
    • Target

      files/ptMgr.dll

    • Size

      2.5MB

    • MD5

      01069f45230cd2036d138295d1019ae5

    • SHA1

      6333e77ea19d69779d6e5445eb51c8e29c3af5c3

    • SHA256

      7ada08db595f00c1bafbabe168a964466fbb691caf4ac70fb63e8c4b2b2a9f85

    • SHA512

      0b3fa8c71b0dd117aadc64fd3dbe00639812861c3449345c45fd3037b5196259351532b3e2dadecea1318448be69794a1772d11df2fc8fbfaa8af52be3926827

    • SSDEEP

      49152:wvSyYrklCGEFFKYy3Hlll43MkyoYh0iXGu2B1BItuEjlIeUZhQZZmRvCP:dEkGlDlH1VZ0uGu2lIr

    Score
    3/10
    • Target

      files/ptusredt.dll

    • Size

      165KB

    • MD5

      3c3e960d59cb413791fee1e944b6df72

    • SHA1

      4aa6c90d81692642ca8266bf0d8e249ff3e3ad54

    • SHA256

      88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67

    • SHA512

      85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

    • SSDEEP

      3072:Ze0HJrRJW9+tjxQGsfzeV0YuNmu5uWj5ONq/1epLcv60H9+v:8SrRJGeNsry0hmuqRoy0H9u

    Score
    1/10
    • Target

      files/vcruntime140.dll

    • Size

      81KB

    • MD5

      16b26bc43943531d7d7e379632ed4e63

    • SHA1

      565287de39649e59e653a3612478c2186096d70a

    • SHA256

      346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

    • SHA512

      b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

    • SSDEEP

      1536:BDpX0WKXQn6s8/oB6xMSKgS9WnESDPIYMWC/q6mYIeTsu03/huecbFWzZoi:BF0ZQnm/oBab8y6mfe0vhuecbFWzZoi

    Score
    3/10
    • Target

      files/vcruntime140_app.dll

    • Size

      21KB

    • MD5

      c0f29bd3b0eb4d8795d609a0c52e0926

    • SHA1

      2f1958696d66edaf38079e370dcc2b41c7474122

    • SHA256

      813a447192c4fa7d25d0716b769399546f8bf6b31269dd8ad47f9812008d79e6

    • SHA512

      02bc56ad129a7d6382ba8d68b68a52fa70ace9bce68aae56d901bc60451982e358805e950ab49ae3d0c052c2ac6d44a6f5ab3679cd4ce2fbb205e4a8c7d7b670

    • SSDEEP

      384:K0g/dJiHlDoeuczbaj7wTfzvg55dHRN7ooiFWSlGs4kz:w/d8lDoeuczbaj7Cg9jHPs

    Score
    3/10
    • Target

      files/wbxtrace.dll

    • Size

      103KB

    • MD5

      c2b06a78b6c07a1371b6aed1dbf4fc37

    • SHA1

      b8847693e7cd3637b1b400e71430cdf629de2e64

    • SHA256

      9e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04

    • SHA512

      219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411

    • SSDEEP

      1536:HAIwJ6LSNBZVrzq8HpWt6/wwmSM4QnToIf2TuU/huhAmJ8dDUfH:HnSNBHUt6/wSM4kTBf2iU/huhFJwM

    Score
    1/10
    • Target

      files/x86/HDHelper_[0MB]_[1].exe

    • Size

      566KB

    • MD5

      8a179892518a2c4e8a63afa91de7bdce

    • SHA1

      e9b095c966ccc4c4900b4cf741c067d2a0f43cd4

    • SHA256

      72ece91f65a461c5023695bf5f31b5b6b5bd629dba8407524e8144f6d1e160e8

    • SHA512

      91abb220c222a89a2df27818b8385b4015128a35b7d4c43d0f497717a4e5a55dfb9dc1da3f47a49a2400ea8300d41d52277331a6c7c3437ac5cb867a4027b220

    • SSDEEP

      12288:voJoMf8uSKkd/kAseRy/M96oQD08WjWYatid4TwzSxK/G8kHcL:CEKkd/wXMwoQJW6Ya5TwzUKeH8L

    Score
    1/10
    • Target

      files/x86/NvStereoUtilityOGL_[1MB]_[1].exe

    • Size

      1.1MB

    • MD5

      017cd77d01314e72a973ff0c7882453d

    • SHA1

      288238159cf18418149f5cd3475a6ebb9f45a631

    • SHA256

      c2c71318a17f7f767e5d203d22b48f27eecae46a4f37082d7b413c51da6183b3

    • SHA512

      b1d4c87e7d8585c16aa50499398c9a04d90bcd32ab36fbf7a357bc15abce0cd802a259cc7431de9fe2ca77aa68298aab5041157308be4601f7f7aa0c3c180b03

    • SSDEEP

      24576:zCVnoQHgdFnJhVaqajA4+ubDaSKYqSpamUbSBe:zgnoFFnJjaqajA4+yaSK5SpamUbSBe

    Score
    3/10
    • Target

      files/x86/VSLauncher_[0MB]_[1].exe

    • Size

      281KB

    • MD5

      7a7bb3b0e57e4fb32c57b74e78e657ad

    • SHA1

      f1dee943b1b6238b1466d83325c4099d189cd4b5

    • SHA256

      87048cff2227d2901314760618d23917cfbc5cc15fc22dc355e803c5ee5fb211

    • SHA512

      ef0c9985b640189ed9991b301cfbf9771df961e1bf67bf68c5833667db53977c9745bcfb42e059d8bb5bcd7a88253a715d86f65612dccc33514ccda3baaf24c2

    • SSDEEP

      3072:Dawahjy56hh65Ndqp9ikqtPLy0gJmU/3j41IGvQC2mCILuCW+VoNDRUiuDhJoueT:dLlavj41nDlDOO9uunwiLWyIE2n

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-processthreads-l1-1-1.dll

    • Size

      17KB

    • MD5

      29001f316ccfc800e2246743df9b15b3

    • SHA1

      dc734266648d3463c1f8d88c1ce7d900a4e3b26c

    • SHA256

      e5ea2c21fb225090f7d0db6c6990d67b1558d8e834e86513bc8ba7a43c4e7b36

    • SHA512

      4cffc0c6f94fcd1155909993c622b9103abd7a7bce88742a10abd6a3496a334d667a39bb601f99eb174aa847d7dae056e0d9769754ca86320579b262a20a6599

    • SSDEEP

      384:WRtwDfIe9jWfhWC+Y3DGk8ZpH3GCJErra8o7Q+Y3DGUKn8JN77hhET:ape9A5DGkiRBEXaR70DGa3hqT

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-profile-l1-1-0.dll

    • Size

      16KB

    • MD5

      6ee66dca31c5cce57740d677c85b4ce7

    • SHA1

      8969db03f98f9548caf8e2d8c7f2f5cd7071f333

    • SHA256

      d00a0edace14715bf79dbd17b715d8a74a2300f0adb1f3fc137edfb7074c9b0a

    • SHA512

      592e3b6c689a0d6c87079c54c3e13e6ee1fc0c5c770abc854040e85464687c46f0a558be22f8759dbc4a100810386ee379ffe4359cf9091d9afae548bc597be2

    • SSDEEP

      384:WiIWfhWx+Y3DGk8ZpH3GCJErcx3l/r7+Y3DGU78JN77hhC6UHR:doDGkiRBEWV/rxDGT3h06UHR

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-rtlsupport-l1-1-0.dll

    • Size

      17KB

    • MD5

      0069fd29263c0dd90314c48bbce852ef

    • SHA1

      dfb99c850a69e67e85f0a0985659f325bd8f84fc

    • SHA256

      d11093fdc1d5c9213b9b2886ce91db3ded17ef8dae1615a8c7ffbc55b8e3f79b

    • SHA512

      71965e8dd2fd81d0c6dba4dbec8d2d1bfd4a644ef6bba4f6027de4bcdf9c07da16f27f2156c21b52e678c75f0a93a4bcbc3e1942f0a73f1eea5ff64b70662f70

    • SSDEEP

      384:WCGeVxWfhWD+Y3DGk8ZpH3GCJErYtN+Y3DGUO8JN77hhTew:3GeVmyDGkiRBEojDGa3h9ew

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-string-l1-1-0.dll

    • Size

      17KB

    • MD5

      2e5c29fc652f432b89a1afe187736c4d

    • SHA1

      96f8480b9339411d5d8c94918e983523b1a55c56

    • SHA256

      3807db7acf1b40c797e4d4c14a12c3806346ae56b25e205e600be3e635c18d4f

    • SHA512

      fe1135532e18127f2cfefaaa4a19020d6c790374f648dc93383d58ee52b147d1451af01b8624234bd5d77abe2451eb3e15cbe72a19d283f00cf78c05c43041df

    • SSDEEP

      384:W4yMv9WfhWx+Y3DGk8ZpH3GCJEr4ey/+Y3DGU888JN77hhnY1:DyMvaIDGkiRBEsnDGX3hxY1

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-synch-l1-1-0.dll

    • Size

      19KB

    • MD5

      979c67ba244e5328a1a2e588ff748e86

    • SHA1

      4c709ce527550eb7534cb6362afdb3623c98254e

    • SHA256

      8bb38a7a59fbaa792b3d5f34f94580429588c8c592929cbd307afd5579762abc

    • SHA512

      49f3c3319aa462b445c6a0b816e10034f6e5a9cf1250ea30b348cfa1ef71525e9f62e2f13253f61375f51fc574847de0d509cffa95103771be356327d5fef90d

    • SSDEEP

      384:Wjdv3V0dfpkXc0vVaCWfhWt+Y3DGk8ZpH3GCJErHZpn+Y3DGUrUN8JN77hhYl:Wdv3VqpkXc0vVabkDGkiRBEtplDGEUq8

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-synch-l1-2-0.dll

    • Size

      17KB

    • MD5

      659e4febc208545a2e23c0c8b881a30d

    • SHA1

      11b890cc05c1e7c95f59eda4bb8ce8bc12b81591

    • SHA256

      9ac63682e03d55a5d18405d336634af080dd0003b565d12a39d6d71aaa989f48

    • SHA512

      010ab6d3971fabd2a956f891b8d9d20ef487e722443b2882a1a329830dc5c80d262e03a844cd3f5c3e4efcfbad72b9e1fbbf7d9dc6cf85ed034d84726946ce07

    • SSDEEP

      384:WHtZ36WfhW8+Y3DGk8ZpH3GCJEFxMDD+Y3DGEC8q8JN77hhFGT:EbDGkiRBEsJDGS13hj+

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-sysinfo-l1-1-0.dll

    • Size

      18KB

    • MD5

      cef4b9f680faae322170b961a3421c5b

    • SHA1

      dd89a2d355df989bbd8648789472bfe9c14afcd5

    • SHA256

      1fe918979f1653d63bb713d4716910d192cd09f50017a6ecb4ce026ed6285df9

    • SHA512

      f56617290d4ac25231631d708a6c8b003bdd358bae9672f7dee539a96b292c13e04c65ba5f05937c52f73288eb3dd7cba479ed030942a0d9d3a15512548fa4a9

    • SSDEEP

      384:WBTnWfhWt+Y3DGk8ZpH3GCJEFxqIDh/h+Y3DGER6vJ8JN77hhHWT:0TsIDGkiRBE+IxfDGM6vW3h5WT

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-timezone-l1-1-0.dll

    • Size

      17KB

    • MD5

      69df2cce4528c9e38d04a461ba1f992b

    • SHA1

      bb1d0da76cf696acf2e0f4e03e6d63fbad4325aa

    • SHA256

      a108a8f20ded00e742a1f818ef00eb425990b6b24a2bcd060dea4d7f06d3f165

    • SHA512

      4d02eecdda0fffc10d5509830079984c7a887b4ca3a80359aa56117b302dcfa594b0710c9f415c823d1674b5c689d31aade44f21750ccd7d53010e67f0b6f0d2

    • SSDEEP

      384:WGOWfhWc+Y3DGk8ZpH3GCJEFxi+3T7Tu+Y3DGEu8JN77hh2KI:5XDGkiRBEm+uDGQ3h7I

    Score
    1/10
    • Target

      files/x86/api-ms-win-core-util-l1-1-0.dll

    • Size

      17KB

    • MD5

      c6553959aecd5bac01c0673cfdf86b68

    • SHA1

      045585659843f7214c79659a88302996bfb480a2

    • SHA256

      68bd9c086d210eb14e78f00988ba88ceaf9056c8f10746ab024990f8512a2296

    • SHA512

      ae8e42a428202d05fea4f1e6a4d3b919b644a792567f876b0fc392b1cddb856547b4c3b433c002fded6df4d4daec8fb7235f30d1ff9f42943d9e2557ade364d6

    • SSDEEP

      384:WyzWWfhW++Y3DGk8ZpH3GCJErst5+Y3DGU1a8JN77hh8T:35DGkiRBEQpDGw3hKT

    Score
    1/10
    • Target

      files/x86/api-ms-win-crt-conio-l1-1-0.dll

    • Size

      18KB

    • MD5

      7190cbfad2d7773d3b88ccc25533a651

    • SHA1

      71fe2bacc14b433d51328ea0810c1a030c80d844

    • SHA256

      4aeeae0ac9f6c1b0b8835067ea3b7fc429f353565f18de7858f4ea5d6f72072e

    • SHA512

      b314666c400268bf261c5f9e9966ad0680435241e7a24d85b28ae4405d798b80eedb65ed8db7e8d93df90f886a6719a8b7ace8c25d0429392bc061868890c40c

    • SSDEEP

      384:WL5WfhWO+Y3DGk8ZpH3GCJErBf+Y3DGUCU8JN77hhIw:FVDGkiRBELDGfX3hKw

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

4
T1005

Tasks

static1

Score
1/10

behavioral1

stealcvidarstealer
Score
10/10

behavioral2

amadeystealcvidarffb1b9discoveryspywarestealertrojanupx
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
1/10

behavioral8

Score
3/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

Score
1/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
3/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10