General

  • Target

    ##!!SetUp_2244_Pa$sW0rd$$!!.zip

  • Size

    21.6MB

  • Sample

    240618-xwehfsygjp

  • MD5

    b6401f6504efddb1b9b45762b5374cb6

  • SHA1

    4f71454ce8a9d85996c3ddd59a2bc30d0a7b96bf

  • SHA256

    b09d14fbdce91d25ec9e2c680afca3ace960d85324e7639a2aa5eb70bf1ea6d2

  • SHA512

    58451d03786a24bc06d3786bef7b9cc8cb9981456615e93756487e6223c5126aaae7ebcee5d5877b4c0e831e4e08113ffe839681e88ef2a6becfb33ee74a98f4

  • SSDEEP

    393216:9T9WAoah1Pnc1fPcNjOKeazxTfqYFXn9I4mEKQi8OsOCeyMvI1rBiypJA:9BWAP7c1f5K9xTfZX9I4Pl3LxMvI1tvA

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

C2

http://proresupdate.com

Attributes
  • install_dir

    4bbb72a446

  • install_file

    Hkbsse.exe

  • strings_key

    1ebbd218121948a356341fff55521237

  • url_paths

    /h9fmdW5/index.php

rc4.plain

Targets

    • Target

      ##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe

    • Size

      718.7MB

    • MD5

      206f895f2048b63865a15c88c730df67

    • SHA1

      ae225462c8ec8593fd68c3819b9e4e016e7b2a26

    • SHA256

      fe780b0e5d8985354906e5d666614c3c6d115e8e164c489a22dcc86edf3e3e31

    • SHA512

      25f4cc5af18ffef0bdcf668891052a62e923d04ab063013de2e784152136bc6f1b9fa38742c1cd5f0133dcefb5e250778790df6cc8ff3a08435d2c8f9828860b

    • SSDEEP

      393216:iE4pNOK/1nm4QGsfBrqN3TQg+US6fqUsXPf1YZUT:i11nm4QGskTQgPS6f3+FMUT

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Vidar Stealer

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

4
T1005

Tasks