Resubmissions

28-06-2024 17:14

240628-vr2fbaxclf 10

09-03-2024 17:17

240309-vtrnwsdg2s 10

General

  • Target

    OneApp.IGCC.WinService.zip

  • Size

    3.5MB

  • Sample

    240628-vr2fbaxclf

  • MD5

    975b7e7c5ce9f455e9842c8ef481ef97

  • SHA1

    89c5c444aac01d257f439d1aa37f96fb4c95b01b

  • SHA256

    4439c40b5de4942e215ac33995c521bd20c906125ef009c913fcf466c7406f19

  • SHA512

    b683d6623614648adef01793edc1a112e16dce9dcdeb8faf8b3bab013b7887ef974e21ed0d63c569c63156ea4a0f4d2ab91b1985110c2e82067ce2c41d5bcfc1

  • SSDEEP

    98304:Z4zD9b+yz4BzQQHbaFZs2o08KZ57wuCGFT2y0D3u9P:ZKrzgcat2oIMuGyAe

Malware Config

Extracted

Family

amadey

Version

4.18

Botnet

84fc95

C2

http://pleasurecanbesafe.com

Attributes
  • install_dir

    40c3273379

  • install_file

    Dctooux.exe

  • strings_key

    65688f14a915e81474c2405160e45f77

  • url_paths

    /7vAficZogD/index.php

rc4.plain

Targets

    • Target

      OneApp.IGCC.WinService.exe

    • Size

      5.5MB

    • MD5

      0cb7d11ea511391d791b0fbb9637ee79

    • SHA1

      96c13496ad8342bdf1cb0ffbe59f673c8395e99b

    • SHA256

      502129a00203367b15d57f87b5b51d01fb292928708decb723cd7ad866a7fda3

    • SHA512

      8823a02a66d883cb7bffce5f4c93a216dd3280f5f65b340b00b8d6e72112327ef4e64fe6cd3c43dfe3dc7e241d19d4ea98bc9e9e3d49ca2818131920b4093aeb

    • SSDEEP

      98304:MXu+i79EbSTjewAV6G67Ngr9wZZGBysnji/MZ/HqLGdOVnhamYMNwHYo8C4Esg6:MXuzCSTqwAV63Ngr9w6Zj5lHkG8hzqHw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks