General
-
Target
https://www.soft-got.org/adobephotoshop
-
Sample
240803-t65kvaygnq
Malware Config
Extracted
amadey
4.41
9f93a2
http://185.208.158.116
http://185.209.162.226
http://89.23.103.42
-
install_dir
3bca58cece
-
install_file
Hkbsse.exe
-
strings_key
554ac8d4ec8b2a0ead6c958fdfed18cb
-
url_paths
/hb9IvshS01/index.php
/hb9IvshS02/index.php
/hb9IvshS03/index.php
Targets
-
-
Target
https://www.soft-got.org/adobephotoshop
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2