Overview

overview

10

Static

static

3

FastMath.dll

windows10-2004-x64

10

Resubmissions

02-11-2024 13:10

241102-qetsgsvgnr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FastMath.dll

  • Size

    806KB

  • Sample

    241102-qetsgsvgnr

  • MD5

    2acea922e251c62106719021bebd1815

  • SHA1

    6cb02b2483212fc068b57271fcf7e302b2b8d135

  • SHA256

    8c6c3f9b3fd8497322cd9e798790aa3485a44f9c5418bb4aa97b630a3fb8cead

  • SHA512

    2e3dd20190cd4caee4692c31860192af2e4e47ea8b3b495d506e37ef61c39ae9d2ac1d6640b20ccf0d8815dbb86cbf4e3407aeace546c7427e19bbf323fd87e8

  • SSDEEP

    24576:pFdF7JvWnT4EZobVCbnA5vz7/gbHcJ2y5TnfFcKQSkhjI+b:FWbHKNcXSk

Score
10/10
amadeyasyncratquasarstealcvidarxworm(***_c.p.a_***)9c9aa5talevtroycollectioncredential_accessdiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://detail-booking.com.br/cpa.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://paradisoprovisor1.hospedagemdesites.ws/cpa.pdf

Extracted

Language
ps1
Source
URLs
exe.dropper

http://45.149.241.169:5336/ghsjfsgfjsyhsfhzgbdfbgzgfb/yugygfyjsbdfoesrjfzbhffbserhbwdewbrtsnbdjkfbrhjgvghvhgvhgvhgvHfgcNchgfcnhchgchgcnGfcngcgdcngchcngch/jhbhfbjadhghjvgfcxhhfcjtgvkhdfskjdkbzhdfhmzdkydbfvhzdfjgvhzvg/tfvjtcfgchgcgcHcgcftjcgtygvgFtrdcjfcgkhvGcjfcxhfcjgVK/chfgcx.exe

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    otstysyski.usite.pro
  • Port:
    21
  • Username:
    lotstysyski
  • Password:
    ProGen

Extracted

Family

vidar

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

xworm

Version

5.0

C2

products-profit.gl.at.ply.gg:36450

Mutex

4s4X91Qf4LTgCiRy

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

(***_C.P.A_***)

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:3313

127.0.0.1:9441

127.0.0.1:9442

127.0.0.1:2900

45.40.96.97:6606

45.40.96.97:7707

45.40.96.97:8808

45.40.96.97:3313

45.40.96.97:9441

45.40.96.97:9442

45.40.96.97:2900

cdt2023.ddns.net:6606

cdt2023.ddns.net:7707

cdt2023.ddns.net:8808

cdt2023.ddns.net:3313

cdt2023.ddns.net:9441

cdt2023.ddns.net:9442
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

quasar

Version

1.3.0.0

Botnet

VTROY

C2

31.13.224.12:61512

31.13.224.13:61513
Mutex

QSR_MUTEX_4Q2rJqiVyC7hohzbjx

Attributes
  • encryption_key

    7Vp2dMCHrMjJthQ2Elyy

  • install_name

    downloads.exe

  • log_directory

    Logs

  • reconnect_delay

    5000

  • startup_key

    cssrse.exe

  • subdirectory

    downloadupdates

Targets

    • Target

      FastMath.dll

    • Size

      806KB

    • MD5

      2acea922e251c62106719021bebd1815

    • SHA1

      6cb02b2483212fc068b57271fcf7e302b2b8d135

    • SHA256

      8c6c3f9b3fd8497322cd9e798790aa3485a44f9c5418bb4aa97b630a3fb8cead

    • SHA512

      2e3dd20190cd4caee4692c31860192af2e4e47ea8b3b495d506e37ef61c39ae9d2ac1d6640b20ccf0d8815dbb86cbf4e3407aeace546c7427e19bbf323fd87e8

    • SSDEEP

      24576:pFdF7JvWnT4EZobVCbnA5vz7/gbHcJ2y5TnfFcKQSkhjI+b:FWbHKNcXSk

    Score
    10/10
    amadeyasyncratquasarstealcvidarxworm(***_c.p.a_***)9c9aa5talevtroycollectioncredential_accessdiscoveryexecutionratspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Authentication Process

1
T1556

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks