General
-
Target
https://yhesf.for.com.de/pzlxh
-
Sample
240906-cfjr1s1ama
Malware Config
Extracted
rhadamanthys
https://45.159.188.37:443/44194499adc4d2b753ee/gcj8ajmp.qnu3f
Extracted
amadey
4.41
3dae01
http://185.208.158.116
http://185.209.162.226
http://89.23.103.42
-
install_dir
239f17af5a
-
install_file
Hkbsse.exe
-
strings_key
91a6d9abcd7a774809c7ff7ced665178
-
url_paths
/hb9IvshS01/index.php
/hb9IvshS02/index.php
/hb9IvshS03/index.php
Targets
-
-
Target
https://yhesf.for.com.de/pzlxh
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Defense Evasion
Impair Defenses
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1