General

  • Target

    file.exe

  • Size

    1.7MB

  • Sample

    241126-c9v25szpcz

  • MD5

    ed7c5463807aadb8f9a29da98de85541

  • SHA1

    8bbf942e682157725b804fa8eb872e8926fdf27f

  • SHA256

    2d819fe3a7fd77aa5e76d170914b0721ad7b71c3694fb93b86420f3103c05aaa

  • SHA512

    1e52886cbbd8c7442c83b7be062f350e1d8f55098e3ed3495252d3adca56fa233d237005278762e32da21914b76e971f825ddf6d7b029f9d9d16383ac32483ce

  • SSDEEP

    49152:j1e455FL5kLUl8nUojc65ImuOYDhVJA4vCsg7j+76ULBgKWs:j1/5P5ZuNu5hbAR17j6b

Malware Config

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Targets

    • Target

      file.exe

    • Size

      1.7MB

    • MD5

      ed7c5463807aadb8f9a29da98de85541

    • SHA1

      8bbf942e682157725b804fa8eb872e8926fdf27f

    • SHA256

      2d819fe3a7fd77aa5e76d170914b0721ad7b71c3694fb93b86420f3103c05aaa

    • SHA512

      1e52886cbbd8c7442c83b7be062f350e1d8f55098e3ed3495252d3adca56fa233d237005278762e32da21914b76e971f825ddf6d7b029f9d9d16383ac32483ce

    • SSDEEP

      49152:j1e455FL5kLUl8nUojc65ImuOYDhVJA4vCsg7j+76ULBgKWs:j1/5P5ZuNu5hbAR17j6b

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Detects CryptBot payload

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Modifies Windows Defender Real-time Protection settings

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.