Overview

overview

10

Static

static

1

#^NeW_PcSe...up.exe

windows7-x64

10

#^NeW_PcSe...up.exe

windows10-2004-x64

10

#^NeW_PcSe...up.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    #^NeW_PcSetUp_6677_PaSṣKḕY#$.zip

  • Size

    7.4MB

  • Sample

    240619-yr6xksyhnh

  • MD5

    e2ca8463b2cc1293bf286f4fb34fb4ec

  • SHA1

    d2cf738631b1300ebbbb555959bf35cc0e5d2e37

  • SHA256

    1be2dfdf4733f2403d090150a91a260967074db492b4c602c4fe873f45e3f2c5

  • SHA512

    49f53cd60abf15c668fe037aa39ebb7b63887aaeb05c2335eeec2fc100bb2136af3fcfba26950b0dae76eb059db97e2ee6eb8677b1055699f775ac3e53767ac9

  • SSDEEP

    98304:wXRyCjPd3YHG2gBjiiUvb9qbJ/rBZ0LcV2vrwDaALGbxYDExhY1vWPUdn6tX9flP:2H7Z3RiF5atlCcUsdLuqXpWU6j0//0

Score
10/10
amadeystealcvidarxmrigffb1b9discoveryminerspywarestealertrojanupx

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

C2

http://proresupdate.com

Attributes
  • install_dir

    4bbb72a446

  • install_file

    Hkbsse.exe

  • strings_key

    1ebbd218121948a356341fff55521237

  • url_paths

    /h9fmdW5/index.php

rc4.plain

Targets

    • Target

      #^NeW_PcSetUp_6677_PaS?K?Y#$/Setup.exe

    • Size

      293KB

    • MD5

      d9602ab0e6370519bd54d13d22dd6ef5

    • SHA1

      95a3a7afdb00e1b2a99fddfe5d3203aa5cd4a09d

    • SHA256

      63ec17feda1f0ea80e0dd7b7938fbf7354aedf8d9f4041543afca9a35337f7bf

    • SHA512

      4587ca630bf5e421e48d5ac7f9ac6866000b06a99d89c1ca31c999414a63ba06a6be2e11467c045b0e2cddb21d792342e69977e6abda6e265b91044e2c8007cd

    • SSDEEP

      6144:jFnHaRGVUA2LOPQNk1Ekle0SnYBV+MiySwq+Q+KxwpwF1oPOmYjeTV4jog:ZnHaRPKIk1Ekle0SQq+Q+OwpwnV4g

    Score
    10/10
    stealcvidarstealerxmrigdiscoveryminerspywareupxamadeyffb1b9trojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks