Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

  • Size

    424KB

  • Sample

    240620-3yz5tsxckm

  • MD5

    993609639c915d36f2821bad869a17d4

  • SHA1

    899988523cc0bde90c28889a5e32b273757915ac

  • SHA256

    fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

  • SHA512

    147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

  • SSDEEP

    6144:6O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHU:axBuBTExX+AoLzTUKdvST/BoKupOjHz

Score
10/10
amadeyxmrig94bf1cb2c2c1discoveryevasionexecutionminerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

94bf1c

C2

http://185.172.128.116

Attributes
  • install_dir

    263c5c4d73

  • install_file

    Hkbsse.exe

  • strings_key

    70b7c8f26e3bc561578bd326a2eadf5a

  • url_paths

    /Mb3GvQs8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

C2

http://greendag.ru

Attributes
  • install_dir

    e221f72865

  • install_file

    Dctooux.exe

  • strings_key

    09a7af7983af08af50ea3f51a73065e9

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

    • Size

      424KB

    • MD5

      993609639c915d36f2821bad869a17d4

    • SHA1

      899988523cc0bde90c28889a5e32b273757915ac

    • SHA256

      fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

    • SHA512

      147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

    • SSDEEP

      6144:6O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHU:axBuBTExX+AoLzTUKdvST/BoKupOjHz

    Score
    10/10
    amadeyxmrig94bf1cb2c2c1discoveryevasionexecutionminerpersistencespywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks