Overview

overview

10

Static

static

3

ProtonVPN-10_11.zip

windows7-x64

1

ProtonVPN-10_11.zip

windows10-2004-x64

1

Launcher.dll

windows7-x64

1

Launcher.dll

windows10-2004-x64

1

Launcher.exe

windows7-x64

10

Launcher.exe

windows10-2004-x64

10

Launcher.exe.manifest

windows7-x64

3

Launcher.exe.manifest

windows10-2004-x64

3

data/0YZkUSGUwRKS

windows7-x64

1

data/0YZkUSGUwRKS

windows10-2004-x64

1

data/0ZQXVExBqIi8

windows7-x64

1

data/0ZQXVExBqIi8

windows10-2004-x64

1

data/0ew22Cf9qKXO

windows7-x64

1

data/0ew22Cf9qKXO

windows10-2004-x64

1

data/0hWKR82p3YbQ

windows7-x64

1

data/0hWKR82p3YbQ

windows10-2004-x64

1

data/0sLKrpjAgVoU

windows7-x64

1

data/0sLKrpjAgVoU

windows10-2004-x64

1

data/129zj9HHP7qr

windows7-x64

1

data/129zj9HHP7qr

windows10-2004-x64

1

data/1IGMno6OedFY

windows7-x64

1

data/1IGMno6OedFY

windows10-2004-x64

1

data/1QZBWs0lBhks

windows7-x64

1

data/1QZBWs0lBhks

windows10-2004-x64

1

data/1S6RvIM2Y7Wh

windows7-x64

1

data/1S6RvIM2Y7Wh

windows10-2004-x64

1

data/1YiMKiPIxhLJ

windows7-x64

1

data/1YiMKiPIxhLJ

windows10-2004-x64

1

data/1iIqaNX5b2q2

windows7-x64

1

data/1iIqaNX5b2q2

windows10-2004-x64

1

data/1v9LGHYmM5qU

windows7-x64

1

data/1v9LGHYmM5qU

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ProtonVPN-10_11.zip

  • Size

    23.5MB

  • Sample

    240807-v5tmma1enl

  • MD5

    d9829ab6d8fbc09656007b40d6b6cb01

  • SHA1

    dbee736452421bc365e1af75d935c7199d9b40f2

  • SHA256

    e24cfa0f2969d1df115d09223a689d3f1a2c8badaec53e9d925641919a6400ef

  • SHA512

    f1b60e2d47833b58cd0e680bc2ffa30202d098326ce10fa3137382fc12537a8cd69fce134183a43012015f4959aa174fc21e9ba350043ed726b01bc6ddbbf6d7

  • SSDEEP

    393216:M5CB8xKa+Nw/mNP5xmT0Sae9fmdGlAZlaTRCogiotvyHD78gasYxpH877sS99mS/:taEwkP6I2AeaiotvtqYb8HVmSWfY

Score
10/10
amadeyrhadamanthysxmrig9f93a2discoveryevasionexecutionminerpersistencestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

9f93a2

C2

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42
Attributes
  • install_dir

    3bca58cece

  • install_file

    Hkbsse.exe

  • strings_key

    554ac8d4ec8b2a0ead6c958fdfed18cb

  • url_paths

    /hb9IvshS01/index.php

    /hb9IvshS02/index.php

    /hb9IvshS03/index.php

rc4.plain

Targets

    • Target

      ProtonVPN-10_11.zip

    • Size

      23.5MB

    • MD5

      d9829ab6d8fbc09656007b40d6b6cb01

    • SHA1

      dbee736452421bc365e1af75d935c7199d9b40f2

    • SHA256

      e24cfa0f2969d1df115d09223a689d3f1a2c8badaec53e9d925641919a6400ef

    • SHA512

      f1b60e2d47833b58cd0e680bc2ffa30202d098326ce10fa3137382fc12537a8cd69fce134183a43012015f4959aa174fc21e9ba350043ed726b01bc6ddbbf6d7

    • SSDEEP

      393216:M5CB8xKa+Nw/mNP5xmT0Sae9fmdGlAZlaTRCogiotvyHD78gasYxpH877sS99mS/:taEwkP6I2AeaiotvtqYb8HVmSWfY

    Score
    1/10
    behavioral1behavioral2

    • Target

      Launcher.dll

    • Size

      2KB

    • MD5

      32e7556ff4f5256d15e1fc843cee5e3d

    • SHA1

      b7283061428e9ca741c26dcfc3e869e2fc699f0b

    • SHA256

      b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278

    • SHA512

      d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e

    Score
    1/10
    behavioral3behavioral4

    • Target

      Launcher.exe

    • Size

      364KB

    • MD5

      93fde4e38a84c83af842f73b176ab8dc

    • SHA1

      e8c55cc160a0a94e404f544b22e38511b9d71da8

    • SHA256

      fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

    • SHA512

      48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

    • SSDEEP

      6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

    Score
    10/10
    amadeyrhadamanthysxmrig9f93a2discoveryevasionexecutionminerpersistencestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      Launcher.exe.manifest

    • Size

      1KB

    • MD5

      1b6de83d3f1ccabf195a98a2972c366a

    • SHA1

      09f03658306c4078b75fa648d763df9cddd62f23

    • SHA256

      e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

    • SHA512

      e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      data/0YZkUSGUwRKS

    • Size

      40KB

    • MD5

      32a223be9990b0bf5a48bba099294004

    • SHA1

      1084d1531cf517d4673a5c81e5b9ba34a7d54a90

    • SHA256

      16f3d5035d34c84b47dc9a1ce225adf551134418f9b31bc388e12a9a33adcc94

    • SHA512

      e13826e0496b9c3651cc0350afdd9e5d923a5a1fe8900514079484e3730f991d64aa06d444f5e876db9fe53b7b2d6416795039654576d5688c0a91711eb44fc5

    • SSDEEP

      768:TJYVZVvSLGWAUBO33kcJzz+C47lIb8cRTbuxrNwOHuH3U0cT7kW5T:TJYVZVKLIfnkcJuCwu8G+vOH3U0cTAW9

    Score
    1/10
    behavioral10behavioral9

    • Target

      data/0ZQXVExBqIi8

    • Size

      40KB

    • MD5

      fcff50d5f77a9352d13fe3ce1e9cdbce

    • SHA1

      ec50ae3f9324c147a9308f2b83a64f78e99a4f7e

    • SHA256

      a030f6274d78cae7621bf57f64f1b99faa006fcb6ed60ee9737d7cebdfddf332

    • SHA512

      17deab253665f93917ca28cb205205d8d16fed49428f6475ce3377828c156e334017a2742100efd0a8aabe4307743778f2ebec10c1c680bf4b56f1dfd8b174fb

    • SSDEEP

      768:rZanhC3T/6w3pJgu1/r+1lCUZ86mzGe94J/jQ4mRmiwI9JS4P:r+hC3TBZz1zslz2Gs4JEZqA7

    Score
    1/10
    behavioral11behavioral12

    • Target

      data/0ew22Cf9qKXO

    • Size

      40KB

    • MD5

      d728f0256804a64c51d2730c384b443c

    • SHA1

      0e71ff145993a4bda2f264091a0e749abfc8965b

    • SHA256

      8af3b48f6f6d316518529acf301e81f53bd3a8f275635dedb37891e0a58c693a

    • SHA512

      5fe27c86ebf5e484667e5eb23581aa46666fa90b1a5f21210fa8bb1e9e041ba9a4fd12b729c1048c2ef68264e33072117c49d489b8712b6287a9d60466666789

    • SSDEEP

      768:qxxhQWRGc7hnWiUpH5eGsNrGOTL+GG+TRT45Pe9JbjChSE:qH+ihnWicxwqwM+tgP23ChD

    Score
    1/10
    behavioral13behavioral14

    • Target

      data/0hWKR82p3YbQ

    • Size

      40KB

    • MD5

      762c46736886327db117340bcaf4cc8a

    • SHA1

      23dc596f67056addc0d65f2992e3abe745e6a228

    • SHA256

      c85156dc3b1a38563c057a93a30624c955e3df6390e85c1943d89d89c2af26a1

    • SHA512

      f7dfe1a4552100a8a4944bf65d05ce45c78442fb343ccc44ae23a0acd0ef7a3200acb4780dcffe4c5729203da47438120a3f269fe46bc65ae8aaa1293447f768

    • SSDEEP

      768:3AKOwxQ/JRpzaS0BuXgueMqyubhEm6ndhLEqff+pvVoE5Kq8rWms:wXwx4pzabBEg8Zm2zLE2mPLKums

    Score
    1/10
    behavioral15behavioral16

    • Target

      data/0sLKrpjAgVoU

    • Size

      40KB

    • MD5

      d5fc5fe60a638e6424866d393a33d022

    • SHA1

      ef81970bbdea5e4a837d0b6a090baafb6f85e937

    • SHA256

      5504f040467d5935875ed0015eb2a783dbcc3dd3dcb5f0af68b812713100ca11

    • SHA512

      bdd9bbfaf14e0af729bb5ad1460f00032a0fc7b640c7345551b6161acb7ebc5de3254a1e303bb2dc171d633552f035b75a56bc9f33a265df4c5efec20ada25cd

    • SSDEEP

      768:+sD34CiOEuHHlA+d3H9WF6jVY9STQPWSuZrAiusILbMuO:+G3b915dDeg/VZrUsI8uO

    Score
    1/10
    behavioral17behavioral18

    • Target

      data/129zj9HHP7qr

    • Size

      40KB

    • MD5

      3fc1882124f18a4175dc6482871cc388

    • SHA1

      bb338f36a3ebee771ac299ff3dc50846313a786d

    • SHA256

      3fb73c4bd8b03314d7c311edd58b90b9a36196193fcb100d2b3a11903d5aa699

    • SHA512

      b76218b054eb7113c71381c658dbd6d1e73d487b1ba6233236e80f8eb6118970ef8600edae40eaa674880e89f965b9bb085236af7fdc914bb4fa5dc2bead7184

    • SSDEEP

      768:6pP+Craqvz1cmJ2WhByt44i6EMRoxn9X4w49pSKUu2NT3p6K5BaNxLrK0ylghSL:SrGWBhBytNxEmCR4HbUu2Rp3CdBlSL

    Score
    1/10
    behavioral19behavioral20

    • Target

      data/1IGMno6OedFY

    • Size

      40KB

    • MD5

      d4ae9aaf2e559c0c7badda02e0b5c72d

    • SHA1

      4ba2b68c728ee3b1dbe19139414db9ea46e630ad

    • SHA256

      6560a4fe772d386d0ded5f6a8a2774f5b1d9e9f129126a315fdd7fe8086532cb

    • SHA512

      80095ceca970aa8fbf2819cec55d688a8258832df7341a07b7469ba169218f95d7000ff36b7c413197c9ac76f8480efa0a774347f977455b1f48d5a5d14d2ac4

    • SSDEEP

      768:1nwEvzkPmKOc2kTqXenNJ1vj08ZXAgmtnBhel3xm1hwlRL6m2VX/Nqx2A:h4VMoDNTvIuXAvnBUywbLYVvN0z

    Score
    1/10
    behavioral21behavioral22

    • Target

      data/1QZBWs0lBhks

    • Size

      40KB

    • MD5

      69e1a22e5664a32f6e0b03deb4b75956

    • SHA1

      8b8ef1ba51921abfbe7d5cbf8a29552694c86bea

    • SHA256

      bb3ae86b2bf5222606aaaee582cb1ffc9e80028eb7a4d86ea8ae0f7a93c8348c

    • SHA512

      87069e466029b31dcb7957ae0552268ca2595550c8732370923dcff7b610197a203e99a75e9d8ac415cb4c2670b5cca5eb280d69e36925c817be263a5fbd4f69

    • SSDEEP

      768:/B9q255SB6ggJXQdighpcO+mWCsR3sj7RnOyHOb9lsJPLw+5BsJsjA:e2XSBJgJXQdppZ+mE8BnNDPL95BesjA

    Score
    1/10
    behavioral23behavioral24

    • Target

      data/1S6RvIM2Y7Wh

    • Size

      40KB

    • MD5

      8e06ac2af43b0d47562a8f89a821e0e6

    • SHA1

      f4011fe77481d9d34e2b7629a241b2b4b1686f93

    • SHA256

      eceea3edf631161e3ee14e21049677d756ad11667c6d4ecb54dff6e6a4fbe5d4

    • SHA512

      5d3e1b8f52343f9750e8e56395dc1bd473d37f26dae99555e59905f184cf7c03ce5195f29b7a5e791c24d0f13a94df7481dd7792fe2ce93258f03e0724278399

    • SSDEEP

      768:P7x894v/e21VprfB1IR+aAC7FpnXXDBZR/XGwBYdGUEzkFo1rXZm38y:WwHJ1e+a1hXTB3/X1BnEo1Fmv

    Score
    1/10
    behavioral25behavioral26

    • Target

      data/1YiMKiPIxhLJ

    • Size

      40KB

    • MD5

      f25db82c5f1fd09c1863cc85f027b1bc

    • SHA1

      f5d481dca6978f18d61bf13fe4ff19aa26e1720e

    • SHA256

      b2968a0940c4924300d944b7c72cdd7570d4eab7ad1afa2c8c7bed3a0b8b0d63

    • SHA512

      2f6b0d4799be4eff67890fe67dc3ffc2e7cebe0002504619b9601b2cadc01b92b06a1842105ad20deb3734bd95c5b3363b5457ffce3145d08ef17cb83e453663

    • SSDEEP

      768:3EmxT7cpwfVG1fwSyWyyMdPnPLTNlnESMG9vrxR:3Eoz9GdwSyWyy0n7B/f

    Score
    1/10
    behavioral27behavioral28

    • Target

      data/1iIqaNX5b2q2

    • Size

      40KB

    • MD5

      e448230022dd95aadc685c49b4f74519

    • SHA1

      8e226dead04cf04db3603ee7e39b9e7a169afbad

    • SHA256

      a92eed926dbc96396a982ecc39a2b0c24918ed6cb8e781743f140d2250a4d742

    • SHA512

      c1b802567f8540d3e2e23b82c073a30c60a042b0608dd1ca6e9c1fbe014d39c233f61524c2018b5a5e5f1d9b89282167eb6ef2ca334c0300580345ac27ca2b19

    • SSDEEP

      768:2AhQhWaU5Ia5DU/0wITOSGQU2qu274fojgu6XKL/vk50li2QAg6sH2CyZ:2AGWaU5P5w/CTqQU4foVbvk5M+AoW1Z

    Score
    1/10
    behavioral29behavioral30

    • Target

      data/1v9LGHYmM5qU

    • Size

      40KB

    • MD5

      d92eee871fb3c9a603d0188cf78dfa1d

    • SHA1

      4644add4b05ebe58a92c42edbd597c1de63e0c98

    • SHA256

      7596727fc7be142e7900262fb58bba9f65d3cfe80a2dbdb0a008fcb97bc73676

    • SHA512

      94c347e70ecb85c89fed5769345ceb6e5e4462bca25c8c5b533c430d3ea945ef253f6a2c94a47c1964225170b413a2a88b5d41cde4c1dfe45494b8bb667d54ad

    • SSDEEP

      768:VXkuCWhN6R66Rr330VwCLC3vM2Nw2DlS8d5KAfoxRtWrhi38gO2vVSGVPlt:zCW36R68r0L8vM2NwCS8+AgxarhAO2ll

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

Score
3/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

amadeyrhadamanthysxmrig9f93a2discoveryevasionexecutionminerpersistencestealertrojanupx
Score
10/10

behavioral6

amadeyrhadamanthysxmrig9f93a2discoveryevasionexecutionminerpersistencestealertrojanupx
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

Score
3/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10