General

  • Target

    d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

  • Size

    1.3MB

  • Sample

    240919-2nj57avdnc

  • MD5

    2b01c9b0c69f13da5ee7889a4b17c45e

  • SHA1

    27f0c1ae0ddeddc9efac38bc473476b103fef043

  • SHA256

    d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

  • SHA512

    23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

  • SSDEEP

    24576:b9yEBs1ZKaxv6rRVO9VdLCjJehm4v2TeLUzguXpdQhgRQ7SoYafkW:bxqZK66rb4V0cxtQzv5dQhgRQ7SxID

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

C2

http://185.215.113.19

Attributes
  • install_dir

    417fd29867

  • install_file

    ednfoki.exe

  • strings_key

    183201dc3defc4394182b4bff63c4065

  • url_paths

    /CoreOPT/index.php

rc4.plain

Extracted

Family

cryptbot

C2

analforeverlovyu.top

thirtvf13ht.top

Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

    • Size

      1.3MB

    • MD5

      2b01c9b0c69f13da5ee7889a4b17c45e

    • SHA1

      27f0c1ae0ddeddc9efac38bc473476b103fef043

    • SHA256

      d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

    • SHA512

      23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

    • SSDEEP

      24576:b9yEBs1ZKaxv6rRVO9VdLCjJehm4v2TeLUzguXpdQhgRQ7SoYafkW:bxqZK66rb4V0cxtQzv5dQhgRQ7SxID

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is a trojan written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Sets service image path in registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks