Overview

overview

10

Static

static

3

c71460537b...18.exe

windows7-x64

10

c71460537b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c71460537b9584b5f550df694b80c9aa_JaffaCakes118

  • Size

    7.5MB

  • Sample

    241205-lncs4syncw

  • MD5

    c71460537b9584b5f550df694b80c9aa

  • SHA1

    bf96ffa379cb297d91d994a63e04f03d94eb8139

  • SHA256

    c329c73a0c1f6f156cc7a662abdf5e7ea30ed8b8f4b35253bf7f2435b83445c8

  • SHA512

    613c7165a1572c72fae2c721bf0e896304eb52eb04463333fae39f699d6da5390a7ee103907c245bd8537a3a183e6e76610a1bfc557e029ae58bf23ef269dfea

  • SSDEEP

    98304:gF8b2yodBaTJlvTuD17o2J5nsIsrInNI1TV++ykbHMOCXO6:g2b8SLA1M2sIX0kk5Ce6

Score
10/10
amadeyfabookiegcleaneronlyloggervidarxmrig933a6b927discoveryloaderminerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

2.61

Botnet

a6b927

C2

http://185.215.113.25

Attributes
  • install_dir

    e8a12a95fa

  • install_file

    sqtvvs.exe

  • strings_key

    1cc248008096bc1c8e6f468b951db183

  • url_paths

    /f6vskbW/index.php

rc4.plain

Extracted

Family

vidar

Version

41.1

Botnet

933

C2

https://mas.to/@bardak1ho

Attributes
  • profile_id

    933

Extracted

Family

gcleaner

C2

gcl-page.biz

194.145.227.161

Targets

    • Target

      c71460537b9584b5f550df694b80c9aa_JaffaCakes118

    • Size

      7.5MB

    • MD5

      c71460537b9584b5f550df694b80c9aa

    • SHA1

      bf96ffa379cb297d91d994a63e04f03d94eb8139

    • SHA256

      c329c73a0c1f6f156cc7a662abdf5e7ea30ed8b8f4b35253bf7f2435b83445c8

    • SHA512

      613c7165a1572c72fae2c721bf0e896304eb52eb04463333fae39f699d6da5390a7ee103907c245bd8537a3a183e6e76610a1bfc557e029ae58bf23ef269dfea

    • SSDEEP

      98304:gF8b2yodBaTJlvTuD17o2J5nsIsrInNI1TV++ykbHMOCXO6:g2b8SLA1M2sIX0kk5Ce6

    Score
    10/10
    amadeyfabookiegcleaneronlyloggervidar933a6b927discoveryloaderspywarestealertrojanxmrigminer

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • Onlylogger family

      onlylogger

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • OnlyLogger payload

    • Vidar Stealer

      stealer

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks