General

  • Target

    6a0776df2d53513aa8aa6152f52903ac8631f2438b3dffccb5ee0c9c8682a48e.exe

  • Size

    1.8MB

  • Sample

    240928-bvaxzssbnc

  • MD5

    17dcd72d51948d374c79be3a52bb647a

  • SHA1

    0c97827e45ea2420546fb335350648f5ea7f6b63

  • SHA256

    6a0776df2d53513aa8aa6152f52903ac8631f2438b3dffccb5ee0c9c8682a48e

  • SHA512

    0abaa9010ff909f7bd30200ba884161f56cc3a18b44cf8355bb5ba513b746ec0a87dae7cb02e374814d419f53233aadae894a3bdb9d641f43ce89914b5438f65

  • SSDEEP

    24576:sBXMvpr340IwfskIs1FtX9dfjiNrxKc9I82ev86U9knHyslZvZKm4JiL3QBf1Ci2:R6wfskJXdrimc9/rEgXnO8

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

47.238.55.14:4449

Mutex

rqwcncaesrdtlckoweu

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      6a0776df2d53513aa8aa6152f52903ac8631f2438b3dffccb5ee0c9c8682a48e.exe

    • Size

      1.8MB

    • MD5

      17dcd72d51948d374c79be3a52bb647a

    • SHA1

      0c97827e45ea2420546fb335350648f5ea7f6b63

    • SHA256

      6a0776df2d53513aa8aa6152f52903ac8631f2438b3dffccb5ee0c9c8682a48e

    • SHA512

      0abaa9010ff909f7bd30200ba884161f56cc3a18b44cf8355bb5ba513b746ec0a87dae7cb02e374814d419f53233aadae894a3bdb9d641f43ce89914b5438f65

    • SSDEEP

      24576:sBXMvpr340IwfskIs1FtX9dfjiNrxKc9I82ev86U9knHyslZvZKm4JiL3QBf1Ci2:R6wfskJXdrimc9/rEgXnO8

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks