Resubmissions

28-08-2024 22:02

240828-1x98aszhnk 10

27-08-2024 12:22

240827-pjyrkazgmh 10

General

  • Target

    9bff935ec8c2618fe262d931924c031e18eee550d9701e3cfb83c07918fd02ce

  • Size

    23.9MB

  • Sample

    240827-pjyrkazgmh

  • MD5

    4446b379278d2ca64882ec46015fc363

  • SHA1

    460b05e7cfff86b484f657917ddc768cca2100e3

  • SHA256

    9bff935ec8c2618fe262d931924c031e18eee550d9701e3cfb83c07918fd02ce

  • SHA512

    923ad8a378a67198e5dbaabf9b94ca84d0ffac10f348f7e7c3d0a0b76717b3194556893a39dfc02038159cbaf5c5941573cb47bbee4598b02a410238092fcd1c

  • SSDEEP

    393216:xvqrmxujE3K8U0y+t/nN3NZAv2ZV+jsmvGlAZlDhs5jiXhVeJFHVL/aRmuv3SLx4:srm84auySZLAv2LUMARs5jIVeJRF/aRn

Malware Config

Extracted

Family

rhadamanthys

C2

https://45.159.188.37:443/44194499adc4d2b753ee/gcj8ajmp.qnu3f

Extracted

Family

amadey

Version

4.41

Botnet

3dae01

C2

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42

Attributes
  • install_dir

    239f17af5a

  • install_file

    Hkbsse.exe

  • strings_key

    91a6d9abcd7a774809c7ff7ced665178

  • url_paths

    /hb9IvshS01/index.php

    /hb9IvshS02/index.php

    /hb9IvshS03/index.php

rc4.plain

Targets

    • Target

      Launcher.dll

    • Size

      3KB

    • MD5

      84ac8cf047eb0d115d6134573ea2b347

    • SHA1

      9e494ff3290c4d021c7dc4b71b068d30485dd92c

    • SHA256

      c8515089831c29cdb6fd82018eccad2878fb74a5393d628faa393ba63931bbe4

    • SHA512

      99415a376cb61adaee687d6b75610d9248b9b8f91960867ec804c42e25890e1f96eedc6f4cb7f9659dde015b1d20da28ac3550147ff9194ed434bf4fb1313388

    Score
    1/10
    • Target

      Launcher.exe

    • Size

      364KB

    • MD5

      93fde4e38a84c83af842f73b176ab8dc

    • SHA1

      e8c55cc160a0a94e404f544b22e38511b9d71da8

    • SHA256

      fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

    • SHA512

      48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

    • SSDEEP

      6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      data/appInfo/services/Launhcer.dll

    • Size

      3KB

    • MD5

      6cced0a38b185030835bf8857633c159

    • SHA1

      4f1604d5e67894fb6b054f8ac82122fa8ad69ed6

    • SHA256

      f15ae3d7b9d5310f53939148cf8fe58c8078086e934628ad2c3a611a59181e36

    • SHA512

      576c4e937b13050ca408445242db266e43c02dc1ec8ea567994594bd624c276bb20c46b94cf54cfe1ac36091bb4cf9959df1403b4838ab15fa10c75f119e18cc

    Score
    1/10
    • Target

      data/appInfo/services/Launhcer.exe

    • Size

      364KB

    • MD5

      e5c00b0bc45281666afd14eef04252b2

    • SHA1

      3b6eecf8250e88169976a5f866d15c60ee66b758

    • SHA256

      542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

    • SHA512

      2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

    • SSDEEP

      6144:+pS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYql6wrEJWPYg:+p8KLBzQ7Lcf3SiQs2FTTql9unNrkv75

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      data/appInfo/services/WinRAR.exe

    • Size

      2.1MB

    • MD5

      f59f4f7bea12dd7c8d44f0a717c21c8e

    • SHA1

      17629ccb3bd555b72a4432876145707613100b3e

    • SHA256

      f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

    • SHA512

      44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

    • SSDEEP

      49152:2oJAPtSHWxwJWzkDVkwg5NYUzNjteyUHBdH3y005:2ZAHWSxkfNNte9BpCN

    • Target

      data/appInfo/services/data/Launcher.dll

    • Size

      6KB

    • MD5

      6e7b8b4200d14198c2a6c2c7617a78db

    • SHA1

      b4d87db35a6cb1630a78e50939317f7c68a5303d

    • SHA256

      91436d2eb99775eef9b6e543c089794f851d750924d3aaede3627623fd0a7f2e

    • SHA512

      72aaa8307509aa26782e3954511f0d6306c9cffce312566b91036f173cd763f2d621f907cc3646cb0c0881ef066b7ec10d784eeb4c47c732812bb3eb3ddeb99d

    • SSDEEP

      192:+8FORePdnuJmiDo40PMZ21E70j+oitcoU8:ZORE2kjkAhjFD8

    Score
    1/10
    • Target

      data/appInfo/services/data/Launcher.exe

    • Size

      364KB

    • MD5

      93fde4e38a84c83af842f73b176ab8dc

    • SHA1

      e8c55cc160a0a94e404f544b22e38511b9d71da8

    • SHA256

      fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

    • SHA512

      48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

    • SSDEEP

      6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      data/appInfo/services/wget.exe

    • Size

      4.9MB

    • MD5

      8c04808e4ba12cb793cf661fbbf6c2a0

    • SHA1

      bdfdb50c5f251628c332042f85e8dd8cf5f650e3

    • SHA256

      a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

    • SHA512

      9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

    • SSDEEP

      98304:bHObnQdOb3OWEqNHeHq6PdOnS8SOGdVilQeHPpXF0aGOVxuGqYE6hpAl/70pzd+Z:bHInQ5WE2HeHq61OJSOGdVilQeHPpXFA

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks