amadey | 2d7fddd25a9bac1ad50e479cded38aebb623ce2a7a77e058b5a735fa4628f089 | Triage

Sharing

General

Target

h.zip
Size

272KB
Sample

241020-3ln7ssydjl
MD5

5ffaa2914787ee9676115b5515f5e46b
SHA1

ffc7f921c64ffba43676bb8da883daa34cff083b
SHA256

2d7fddd25a9bac1ad50e479cded38aebb623ce2a7a77e058b5a735fa4628f089
SHA512

8fa0955b5de617d24cde0859d35e780432ccd5a670f28afa5babb5bad40b8c7d28f418a4a921ece47b275b1c5e36b62d0ef5363f7d19f9b71f5121f4ea64a790
SSDEEP

6144:4RTQX8D1VRFaEE9jchNB4I3NkmNrIN74yY6TSTs:yTQXC1bEZcN/tsNMIZ

Score

10^/10

amadey rhadamanthys sectoprat 76a1c5 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

76a1c5

C2

http://185.208.158.96

Attributes

install_dir
9b94b7e626
install_file
Gxtuum.exe
strings_key
7ec67893d851db775fae22819287705c
url_paths
/mzmtrpwoe113ee/index.php

rc4.plain

Extracted

Family

rhadamanthys

C2

https://185.196.11.237:9697/f002171ab05c7/hip4946p.881o6

https://185.196.11.237:9697/f002171ab05c7/73434jqg.jxviu

Targets

- Target
  
  hdoqgihvw.exe
- Size
  
  557KB
- MD5
  
  edf87c3498772bd5a73af0baa1fb637a
- SHA1
  
  b7b2c8fdd06cad300c721e3cad2dc69bca3bbcdb
- SHA256
  
  90ffbc37f8b47bf0d7c629a33e25828c42791133afc754380f1559f2f01f522a
- SHA512
  
  a38857b7905210d862ba08f6de0c8a88e9a8a35a82bd61886d6613835f4204d2c12f26c319d720a7b2f6af9c86a35feac2ba621baeb81eb2fdd3ed402b7640ba
- SSDEEP
  
  12288:EB1rZEH5kKHBbjfxhEHrtZHw817hA5MWM1jZIxTXxSYGKuX04lxplu+edBZuwRZq:EBIEHrXw8hhcrM1d+BqXhUZq
Score

10^/10

amadey rhadamanthys sectoprat discovery execution rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyrhadamanthyssectopratdiscoveryexecutionratspywarestealertrojan

behavioral2

amadeyrhadamanthyssectopratdiscoveryexecutionratspywarestealertrojan