General

  • Target

    9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4

  • Size

    7.1MB

  • Sample

    241125-p6vcnatqam

  • MD5

    633492e2f891f632fe7140c9cd415d39

  • SHA1

    51200c742cdcdc1a1cb2ebe67074d5e2b5166b0d

  • SHA256

    9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4

  • SHA512

    6ee6c41a48e5ef530e59d5cbd5d064a298c97e28c91dc35d143fb18f0fd51a9de43b9e0a02db886fd8c75fb5949527187a908801345f5b0aa88be95ce4d32bb4

  • SSDEEP

    196608:8PicWWRd9vgVIQAYhwDR124vIIJKUwHuSmiutKb:F0fvgVIQArX2bRH/v/b

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Targets

    • Target

      9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4

    • Size

      7.1MB

    • MD5

      633492e2f891f632fe7140c9cd415d39

    • SHA1

      51200c742cdcdc1a1cb2ebe67074d5e2b5166b0d

    • SHA256

      9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4

    • SHA512

      6ee6c41a48e5ef530e59d5cbd5d064a298c97e28c91dc35d143fb18f0fd51a9de43b9e0a02db886fd8c75fb5949527187a908801345f5b0aa88be95ce4d32bb4

    • SSDEEP

      196608:8PicWWRd9vgVIQAYhwDR124vIIJKUwHuSmiutKb:F0fvgVIQArX2bRH/v/b

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Detects CryptBot payload

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Modifies Windows Defender Real-time Protection settings

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.