Overview

overview

10

Static

static

10

0468127a19...1f.exe

windows11-21h2-x64

3

2a3b92f618...6b.exe

windows11-21h2-x64

10

b154ac015c...cf.exe

windows11-21h2-x64

8

b96bd6bbf0...69.exe

windows11-21h2-x64

10

bb8e52face...3e.dll

windows11-21h2-x64

8

ca467e3323...a4.dll

windows11-21h2-x64

8

e93d6f4ce3...ad.exe

windows11-21h2-x64

10

fa5390bbcc...f6.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    All.ElectroRAT.zip

  • Size

    881KB

  • Sample

    241210-q2t2rswrez

  • MD5

    7ff8d31ad43f62f1c6876b725a1ebb1f

  • SHA1

    e23baf502bf5b2eb81fea0a2e570e7ade8998bee

  • SHA256

    dda14413450a11f336a8305cf274943d614905c3429d4f0efeffe6bf4b8b7bdc

  • SHA512

    b1afbd5ed92933ffa1a1add1b5b8cc581c7361d8106fed20a8aee1493af7a0279b27e4220515d39e4f5640df43309aa40073750f9e232438cc5f7a561273a9c6

  • SSDEEP

    12288:yykcN4NEaT6082MQxzgoOnAlUiQNd83MBBPXyyg1/UgGc3G4af3ENPNBAIhH6oRt:vkckET92MAs8oNvLKBU5l4iCsWvVbGo

Score
10/10
amadeykpot044a28collectioncredcredential_accessdiscoverymodulespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

2.03

Botnet

044a28

Attributes
  • install_dir

    3101f8f780

  • install_file

    gbudn.exe

  • strings_key

    98efc0765f4c223e79368db4c8650353

  • url_paths

    /hfv23svj2/index.php

rc4.plain

Targets

    • Target

      0468127a19daf4c7bc41015c5640fe1f

    • Size

      121KB

    • MD5

      0468127a19daf4c7bc41015c5640fe1f

    • SHA1

      133877dd043578a2e9cbe1a4bf60259894288afa

    • SHA256

      dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9

    • SHA512

      39cec4cdc9e2b02923513a3f1bc3ac086b0598df77c7029493a810dfbe40c946fa62905d1dcb80aba87c9e74677aac893108faa94e027c261aff7d388bbdcdfc

    • SSDEEP

      3072:5HYBf8YzKw/MHfBTU3eiu0B/qIbmuvFT8whrQnFW:5HY70Bou0B/q6IOrQnFW

    Score
    3/10
    discovery
    behavioral1

    • Target

      2a3b92f6180367306d750e59c9b6446b

    • Size

      178KB

    • MD5

      2a3b92f6180367306d750e59c9b6446b

    • SHA1

      95fb90137086c731b84db0a1ce3f0d74d6931534

    • SHA256

      18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0

    • SHA512

      c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0

    • SSDEEP

      3072:GK0YqBB9mUQ13o2vM2tD81JI0MBkuomh87I3pBSpvVFLm:GnrB9mUWdk26DIquom2dN

    Score
    10/10
    amadeydiscoverytrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Executes dropped EXE

    behavioral2

    • Target

      b154ac015c0d1d6250032f63c749f9cf

    • Size

      457KB

    • MD5

      b154ac015c0d1d6250032f63c749f9cf

    • SHA1

      c96eab62367bd9efb5e124621d8dc2be7c5a61be

    • SHA256

      f33c78cddcf99dd999b065644a17dcbac1b222a7f3342b3fe3293ddb6ecf0060

    • SHA512

      dec37485f6e9e9109fa954d5e024223f555af7c2b12f5c9855aa77b43e97d5e54f4cdc651331eee2c7fcaf0a3fa58bb41222cdb3ce16c84b444ef564e7ce6eeb

    • SSDEEP

      12288:vw4bw/3KjP7bHnREf60JDQJ1MFrhi9PFBVoI+kA3dz+YsM9jMw9pMQH/Nxct+fbN:I4bw/3KjP7bHnREf60JDQJ1MFrhi9PFE

    Score
    8/10
    discovery

    • Modifies RDP port number used by Windows

    behavioral3

    • Target

      b96bd6bbf0e3f4f98b606a2ab5db4a69

    • Size

      330KB

    • MD5

      b96bd6bbf0e3f4f98b606a2ab5db4a69

    • SHA1

      b1d370efd0accfc0850237d9d54b19c5c1bf071d

    • SHA256

      2f83e130e52cb13944899e81f4ecf49decf52e3949f6d41b45e8b1a19a658ed6

    • SHA512

      b15e3928fdce6193233c9bf06d979ba5c707144c68abd7a25b976f581f33eaca903f44f564d2d05481915d050e74385196cc61629b8bc5be393ae4c89acd6525

    • SSDEEP

      6144:PEFgPWJh7yd23476SjW2h6al/k5MyF/zq2aqo:sFVJqoQk5FFrWL

    Score
    10/10
    kpotdiscoverystealertrojan

    • KPOT

      KPOT is an information stealer that steals user data and account credentials.

      trojanstealerkpot

    • KPOT Core Executable

    • Kpot family

      kpot
    behavioral4

    • Target

      bb8e52face5b076cc890bbfaaf4bb73e

    • Size

      222KB

    • MD5

      bb8e52face5b076cc890bbfaaf4bb73e

    • SHA1

      df430358a2c7eaf3e328a00a6f961ded9428e491

    • SHA256

      5545f31c832c8bde6cf7563cdc0f4a4b9b15416480e14f15420b1691444c376d

    • SHA512

      f465c12bf336e659608c3a4f1e8e14b0876d28f0ad1a75ffb60c674da9a3535493a7e9357ef6b55f78666418ef9c4f7795aa2840aac0f41d6b53131e353b1a59

    • SSDEEP

      6144:qJ+WK/pvT7arfwKFzDTsv5oaTh45CjBscX9TEGgO:RJpb7Y7vf5i5X9TcO

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    behavioral5

    • Target

      ca467e332368cbae652245faa4978aa4

    • Size

      124KB

    • MD5

      ca467e332368cbae652245faa4978aa4

    • SHA1

      b6477944050fb4014c747c793378792b268ac06b

    • SHA256

      279524f17f8dd8753f57c2e3e91d21ad84db10316dfbf925cc19556cef55b99d

    • SHA512

      ce514859dd29aab68cc10acf7b2571a4f505b4ae4028f2bb9f733078d1eef6856581df42aa854861d8e7a8c61b01b9c67fd1f5774dd0c388a4ae960530d7f3af

    • SSDEEP

      3072:OeZmogDk+MPedGpqpm2pSBwkXWEfIvgNL2oA29:OeZkgXPppvhfvNS

    Score
    8/10
    collectioncredential_accessdiscoveryspywarestealer

    • Blocklisted process makes network request

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral6

    • Target

      e93d6f4ce34d4f594d7aed76cfde0fad

    • Size

      1024KB

    • MD5

      e93d6f4ce34d4f594d7aed76cfde0fad

    • SHA1

      786273ccee50c19e5d6f92aac58dbf617c79ec06

    • SHA256

      adeba13b358ea8be691fd7f4d025a6ea27b9b120d97d312ea875d6067434d77e

    • SHA512

      f4ed1270e447fe7406f33a0f1580f4789a799e1f1bfbd8303f2e93d7868dc40b9971f13f88513e48340fa90c91cb86d56d998e0d9cfda65ba150add638ebf0c7

    • SSDEEP

      1536:WVieJrIbvUMqCgBKrLDd0GqlMm2+Na4NMRJMZkWKaH6kY+1WrwHNzx7hb3xMc:kie1AUztxKaakY+ksHNl3Mc

    Score
    10/10
    kpotdiscoverystealertrojan

    • KPOT

      KPOT is an information stealer that steals user data and account credentials.

      trojanstealerkpot

    • KPOT Core Executable

    • Kpot family

      kpot
    behavioral7

    • Target

      fa5390bbcc4ab768dd81f31eac0950f6

    • Size

      598KB

    • MD5

      fa5390bbcc4ab768dd81f31eac0950f6

    • SHA1

      c7d6151d7831d8b75ae6760c3006de58ae2d05e5

    • SHA256

      587a4463673093554cd75b5c9ccb6c254a9d6e8769b1e45ea0390eb2b9d57bff

    • SHA512

      867ddbba9144685aafaf90e8dc1b30ea47c8e9bb7eb1b57d8902d15e6cd632f85437e92371bf5f601a00bdf976b4c90739b027ebb48d2a9f8da8b174d618022e

    • SSDEEP

      6144:HHY70Bou0B/q6IwThbCgcGA/siicMSwbSxwepXJRHCQn:H47Bu0B/LIUzBMKQn

    Score
    10/10
    kpotdiscoverystealertrojan

    • KPOT

      KPOT is an information stealer that steals user data and account credentials.

      trojanstealerkpot

    • KPOT Core Executable

    • Kpot family

      kpot
    behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

2
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks