General

  • Target

    de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca

  • Size

    3.1MB

  • Sample

    241122-fkm7sa1jdp

  • MD5

    a69aa32f8ef6d84b33b18056e03d52d7

  • SHA1

    302d6aeb0e86201b7048a9f39b6aa5d476a2d38e

  • SHA256

    de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca

  • SHA512

    e1c1637e7be30652e3b732c7c2d8ec1135209ece72f54d6a131cb27af241c962e914acb78aaa68a5150deeaf9ed46c35b9eb9a0decce43fa03438539035c5f2c

  • SSDEEP

    49152:9Ymcx4roZQ5VWaX2yYbKokN6y7Iex1hM0:95droartX2yYbFkOj0

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Targets

    • Target

      de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca

    • Size

      3.1MB

    • MD5

      a69aa32f8ef6d84b33b18056e03d52d7

    • SHA1

      302d6aeb0e86201b7048a9f39b6aa5d476a2d38e

    • SHA256

      de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca

    • SHA512

      e1c1637e7be30652e3b732c7c2d8ec1135209ece72f54d6a131cb27af241c962e914acb78aaa68a5150deeaf9ed46c35b9eb9a0decce43fa03438539035c5f2c

    • SSDEEP

      49152:9Ymcx4roZQ5VWaX2yYbKokN6y7Iex1hM0:95droartX2yYbFkOj0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Detects CryptBot payload

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Modifies Windows Defender Real-time Protection settings

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.