General

  • Target

    file.exe

  • Size

    1.9MB

  • Sample

    240928-hwdhtssfqn

  • MD5

    b8fc8a5801e3c0172a199430c7dba1d6

  • SHA1

    2a53f4961410bea07de2259fd7875b30ae6a7856

  • SHA256

    c438ad0f0d3f595677bfd83cfbab377224cdcc7275f7954639c113e767e8ddf5

  • SHA512

    b6a2e23babec64712408dbf0e1a9ce5720a4aff14c6de3e90a756c00ec97d01f394a18608de1cb2a90f87ce6c6fa8b4829ca57f77b8c110462b65af10e9ba3ec

  • SSDEEP

    49152:Pfxsg8rRSzxCa2w6G/fSrvYMSdkhNebdu:HxaVo0w6oKbYXdkhuc

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

47.238.55.14:4449

Mutex

rqwcncaesrdtlckoweu

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      file.exe

    • Size

      1.9MB

    • MD5

      b8fc8a5801e3c0172a199430c7dba1d6

    • SHA1

      2a53f4961410bea07de2259fd7875b30ae6a7856

    • SHA256

      c438ad0f0d3f595677bfd83cfbab377224cdcc7275f7954639c113e767e8ddf5

    • SHA512

      b6a2e23babec64712408dbf0e1a9ce5720a4aff14c6de3e90a756c00ec97d01f394a18608de1cb2a90f87ce6c6fa8b4829ca57f77b8c110462b65af10e9ba3ec

    • SSDEEP

      49152:Pfxsg8rRSzxCa2w6G/fSrvYMSdkhNebdu:HxaVo0w6oKbYXdkhuc

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • VenomRAT

      Detects VenomRAT.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks