General

  • Target

    689ff816fc3db38894e81abbdf63c02b.exe

  • Size

    549KB

  • Sample

    241015-tmcqqatdqa

  • MD5

    689ff816fc3db38894e81abbdf63c02b

  • SHA1

    aceb8ce81d4724d77a1b3031015f6e60d1139352

  • SHA256

    f2ebbd96f7cf19aa8cc8b1273d1f80169de93ac4dde951ff4547177a11010945

  • SHA512

    b7eefa534ab5b409718d8b2287983417299f78bfed6696bba1037d3c816c3cadd172e5d59b0ff6e4ee8abf340cbc396c1695a075e747030fa7f6d2bfcfb8ef4c

  • SSDEEP

    12288:MzW5JeQqp6xEWEoiH5KlCrX4FZg40rvM1BCpkLDapAGEhoCXOfNw9lu+eqQoEzwz:MzWCKlCroFWHr6BCCXau7X3pP7

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

61b84f

C2

http://78.153.139.168

Attributes
  • install_dir

    76c5995d57

  • install_file

    Gxtuum.exe

  • strings_key

    9de0451ffa8c2fdfc09ef4161fee0a87

  • url_paths

    /gfj38cHcw/index.php

rc4.plain

Targets

    • Target

      689ff816fc3db38894e81abbdf63c02b.exe

    • Size

      549KB

    • MD5

      689ff816fc3db38894e81abbdf63c02b

    • SHA1

      aceb8ce81d4724d77a1b3031015f6e60d1139352

    • SHA256

      f2ebbd96f7cf19aa8cc8b1273d1f80169de93ac4dde951ff4547177a11010945

    • SHA512

      b7eefa534ab5b409718d8b2287983417299f78bfed6696bba1037d3c816c3cadd172e5d59b0ff6e4ee8abf340cbc396c1695a075e747030fa7f6d2bfcfb8ef4c

    • SSDEEP

      12288:MzW5JeQqp6xEWEoiH5KlCrX4FZg40rvM1BCpkLDapAGEhoCXOfNw9lu+eqQoEzwz:MzWCKlCroFWHr6BCCXau7X3pP7

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

MITRE ATT&CK Enterprise v15

Tasks