Overview

overview

10

Static

static

10

10b20d5ab6...1c.bat

windows7-x64

8

10b20d5ab6...1c.bat

windows10-2004-x64

8

13b53797e8...62.exe

windows7-x64

10

13b53797e8...62.exe

windows10-2004-x64

10

15d55e8865...ec.exe

windows7-x64

10

15d55e8865...ec.exe

windows10-2004-x64

10

1b5f4adeca...0d.exe

windows7-x64

3

1b5f4adeca...0d.exe

windows10-2004-x64

3

3dc30eca9e...04.exe

windows7-x64

10

3dc30eca9e...04.exe

windows10-2004-x64

10

56cd7a444e...40.exe

windows7-x64

3

56cd7a444e...40.exe

windows10-2004-x64

3

5ee74cad24...f9.exe

windows7-x64

10

5ee74cad24...f9.exe

windows10-2004-x64

10

5ff273f03e...43.exe

windows7-x64

10

5ff273f03e...43.exe

windows10-2004-x64

10

60b98a0907...1c.exe

windows7-x64

7

60b98a0907...1c.exe

windows10-2004-x64

10

6a91052845...3f.exe

windows7-x64

10

6a91052845...3f.exe

windows10-2004-x64

10

6c4bf8dc2f...d6.exe

windows7-x64

3

6c4bf8dc2f...d6.exe

windows10-2004-x64

3

807ebe7580...38.exe

windows7-x64

10

807ebe7580...38.exe

windows10-2004-x64

10

86abfdc360...b3.exe

windows7-x64

10

86abfdc360...b3.exe

windows10-2004-x64

10

89463c1b87...a6.exe

windows7-x64

4

89463c1b87...a6.exe

windows10-2004-x64

4

9bdc43df16...87.ps1

windows7-x64

3

9bdc43df16...87.ps1

windows10-2004-x64

10

9d11b8db73...e1.exe

windows7-x64

10

9d11b8db73...e1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9994b9e197b422529221de7238dc0e44ae21e66d78c48355f31837c3696ec90e.zip

  • Size

    45.2MB

  • Sample

    241230-f62x3azkfj

  • MD5

    7994512f16f04d3f8453986c6834b823

  • SHA1

    2d55c18d5d38068e6bb08168ab888ced6cecf4f2

  • SHA256

    9994b9e197b422529221de7238dc0e44ae21e66d78c48355f31837c3696ec90e

  • SHA512

    bf5e74311f55a9329d618d53f729271e323fd53ce6896f3a5926ec2b5e99c0e4fee59febbb3ae2c0fd7e25bcb06cf8258e0fa5f78154f4a592e88c02c1c976b0

  • SSDEEP

    786432:NmChb+7oxxT+J5yefAa198IHZYEFxfXXska4DtK/ayR8A8gnrjGUNfhAMtVHc4Bn:NmCJ+7ox1G5yeoI9/5nFNrx4CUdVnnG8

Score
10/10
agentteslaamadeyasyncratchaoslummastealcxworm9c9aa5fed3aafoco-winpaxtalediscoveryevasionexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

185.117.250.169:7000

66.175.239.149:7000

185.117.249.43:7000
Attributes
  • Install_directory

    %AppData%

  • install_file

    WmiPrvSE.exe

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.gizemetiket.com.tr
  • Port:
    21
  • Username:
    pgizemM6
  • Password:
    giz95Ffg

Extracted

Family

lumma

C2

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://mafnufacut.cyou/api

https://scriptyprefej.store/api

https://navygenerayk.store/api

https://founpiuer.store/api

https://necklacedmny.store/api

https://thumbystriw.store/api

https://fadehairucw.store/api

https://crisiwarny.store/api

https://presticitpo.store/api

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

FOCO-WINPAX

C2

cdt2023.ddns.net:6606

cdt2023.ddns.net:7707

cdt2023.ddns.net:8808

cdt2023.ddns.net:3313

cdt2023.ddns.net:3314

cdt2023.ddns.net:9441

cdt2023.ddns.net:9442

cdt2023.ddns.net:9443

cdt2023.ddns.net:2900

cdt2023.ddns.net:1018

cdt2023.ddns.net:2019

cdt2023.ddns.net:2020

cdt2023.ddns.net:2021

cdt2023.ddns.net:5155

cdt2023.ddns.net:6666

cdt2023.ddns.net:9999

cdt2023.ddns.net:5505

chromedata.accesscam.org:6606

chromedata.accesscam.org:7707

chromedata.accesscam.org:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Targets

    • Target

      10b20d5ab63333029b484bf4fc528e6cd4dc755c99c31c24054d63f9e3447c1c.bat

    • Size

      935B

    • MD5

      1c94a162524f1ab324eb20ab36123aa9

    • SHA1

      2d0bd3e465120d8161a30782724f6381130c3e6a

    • SHA256

      10b20d5ab63333029b484bf4fc528e6cd4dc755c99c31c24054d63f9e3447c1c

    • SHA512

      f4252f79627dcf11c7b378a51503651476a10b22638b2797f6d6d33ef268acb54a1a37b0d2ba18535c9354470490261fef88d6a9aae6fde57c8388e035c12d3a

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      13b53797e8ae8969a0fe2fa57463fae3727af51fe094904b0bd5c4ba22bfd262.exe

    • Size

      2.7MB

    • MD5

      55d089adcef6d02f188a67f09a078f97

    • SHA1

      c61e9e0c50ae4977a937760c9e3ed19e8cab6863

    • SHA256

      13b53797e8ae8969a0fe2fa57463fae3727af51fe094904b0bd5c4ba22bfd262

    • SHA512

      7019795ea4693d7ce222618c980624b515efcdf9e0e2203df30156ca248cbe99f1f1637a747a40e27847a598119e0a38c4bd78db488fb0b19d3cb20da2b7f0b2

    • SSDEEP

      49152:l2Z9h/czBnu53qlDni1iijuxjiwranT5mvvCKxMGF0GlFyzzS3b:l2Z9Rc9nu53qlDi0ij5mNxL7FyX

    Score
    10/10
    discoveryevasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Windows security modification

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      15d55e886566f3da849370afa83b54cf3be37b95be32bfab0ef36ae56663c6ec.exe

    • Size

      2.1MB

    • MD5

      11161c01ba8c1c0639c29519d9a55133

    • SHA1

      6f878ae9e8dd2b2bd17f10c6ea340270ba52d936

    • SHA256

      15d55e886566f3da849370afa83b54cf3be37b95be32bfab0ef36ae56663c6ec

    • SHA512

      4afbc5e442452f7ce7f103b47ff7e80714fca5398a52c8d93dfcfe8896ca68b3a3ddd79205fbebb3bfefd17391c6501615088d385524cd6717acb6835edc0a55

    • SSDEEP

      49152:m9V95qi+PiSkTxj+FA26eUKXs7IUB4cqKRRJFsFEY426:6VZ/K22MGskUB1RRAaq

    Score
    10/10
    stealctaleevasionstealerdiscovery

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      1b5f4adeca66e96ef076cfe25b53be7b9a3bb5a0cb50e69001e8985abe8f580d.exe

    • Size

      2.0MB

    • MD5

      f51f2be2f8544e1d2d0fcd1c031e5f39

    • SHA1

      f98044d6ee3fb2604635da4c69502d94126eda04

    • SHA256

      1b5f4adeca66e96ef076cfe25b53be7b9a3bb5a0cb50e69001e8985abe8f580d

    • SHA512

      69177ccd878612c24001f88158b5b0a9302492ab52c92dca75bab3b8a84cdb2c4a5be6f8b97c6813079715386b42faba4c1302d51c1ca9b9fae86699fa50580c

    • SSDEEP

      49152:JOfo+MzSog8AOJpjykaF3h2NZphc3R936Nz4uE:KjMOV0pjykazMZ3Kxaz4uE

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      3dc30eca9e2605ee856852687b05a74a8b9463de51a223b8344098ba7b402804.exe

    • Size

      1.3MB

    • MD5

      92eb7fdd42c1963733436dadbefe10eb

    • SHA1

      cc9fdc3b7f4f407eda3ad5064d32bae0d211f15f

    • SHA256

      3dc30eca9e2605ee856852687b05a74a8b9463de51a223b8344098ba7b402804

    • SHA512

      434aef63d6b8710153c5f70319de27b13503ac9db7d115d8eb2ca905f7725f1180469da33396089b864b54c5425b2014e8eea005e6d7fafd15751a99abc64d3c

    • SSDEEP

      24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8aEfave0z8bFfCZ+SIN37VdYfkHCpmLb:ITvC/MTQYxsWR7aEfaRhbaLVdYfkig

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      56cd7a444e3f0c16d2b245d5e23f475bc69645bba2aa3d6c9bd22d34dddeb540.exe

    • Size

      898KB

    • MD5

      5265dcde5ea6a27a3475c937b5398279

    • SHA1

      b21450b5d007f5ad99ce2d4778bb03927cbc17c4

    • SHA256

      56cd7a444e3f0c16d2b245d5e23f475bc69645bba2aa3d6c9bd22d34dddeb540

    • SHA512

      eb6aaae24da6df7e04d11bbe876fcbfa20e5f8d82b5ff7d68396e2b0537a7950c88337cdccbf3e6c76d71ffbd58388df3fc52fe737c7960eecb9f0b09d54967b

    • SSDEEP

      12288:pqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tf:pqDEvCTbMWu7rQYlBQcBiT6rprG8abf

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      5ee74cad243bc459b9068894fa0fc05d40cc8466322315f0132c8275a78112f9.exe

    • Size

      2.6MB

    • MD5

      6354373133352ba01002bf37447a6c5d

    • SHA1

      cd4133e43fee19def2e0a31aa40f600b95c9dbbe

    • SHA256

      5ee74cad243bc459b9068894fa0fc05d40cc8466322315f0132c8275a78112f9

    • SHA512

      f7cf81c16ce5ceff2f6cd946896780c7f1f0e5ca78356c52d36e5079e62acb3e0d5970e32033029faac41fca73438e5a9c2d09264f9aa57dcacf4c1a483a3244

    • SSDEEP

      24576:DrNfEyEa9w2DGLy9fNhR71ckpZzUbJbl/LI5Gbn2CL0LyoZtLzwmiiE+iv+9j6F:DrNfEyEObSW9f/DB2JdLnbnaHtwV+iF

    Score
    10/10
    discoveryevasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Windows security modification

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe

    • Size

      85KB

    • MD5

      c1826ac82abf9c6d49c3bff9f8cbb31c

    • SHA1

      0c15d09f8af3e0850c97b8aece22e351229ab6bd

    • SHA256

      5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43

    • SHA512

      76ada87e6b90a5a1e7622b148affd1ad89f83eef9af81f96b6d94d64ae8b4a80624b2b118a2890aca945a10b0ec12d0e6d0d4304d300e7be4cf8f70c4ebac855

    • SSDEEP

      1536:Dl+noSnLDekZPaf2vpmbl4aXmI7ufDD6ALj2TCzOgiHZnP:D8v/aev4bl4i7acoOzH1P

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral15behavioral16

    • Target

      60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe

    • Size

      297KB

    • MD5

      cf19765d8a9a2c2fd11a7a8c4ba3deda

    • SHA1

      63b5142b07b7773d4201932e7834ac11eafa1ab3

    • SHA256

      60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c

    • SHA512

      b97fc305bd0d22e26abf99e302b166cd5d2bb959eddecad0f45dc978761178f5f6d47788c4ad5098313e587198abc66a3477ed42203345c20dc07db4783bb762

    • SSDEEP

      6144:thP45uoAaSWyz8jVnA183ipgz7YGGmEOM8xm53Jhuy3/uL:t25uDiyzmR7kYVxm5i+2L

    Score
    10/10
    discoverylummastealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      6a910528454646f73cbab1b93c854a0322111c61063711e49257ff9f6317d13f.exe

    • Size

      3.1MB

    • MD5

      e69c275c15ba40b8f4dbdb3923276d5c

    • SHA1

      2ec2666dad3e02f3a81d04410ade3d7ad662e148

    • SHA256

      6a910528454646f73cbab1b93c854a0322111c61063711e49257ff9f6317d13f

    • SHA512

      57f4a9b2963a58c8cbb1331ec5c9f098ac6693aa57f4d3913a6acb117eaa0eba87a10c24c3ae9f4e4ea920bbd27c647cea2978f87f1f1f0e0151bef7dd2904bc

    • SSDEEP

      49152:7f53MTZJ+ALI2bOEzlf3Qt3R5Ylj6q277olNIw8AiPV+:rtMTZJDLI2bOEzlf3AXZjol+jb

    Score
    10/10
    amadey9c9aa5discoveryevasiontrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      6c4bf8dc2f2c1cccb9a2470f1610c11397fe168e55972eb0aaee7e77afd5d3d6.exe

    • Size

      898KB

    • MD5

      c2647ed78c0ea89aef2c32aa4e0f7770

    • SHA1

      9be41ba2467fc53a7eb5d34ed15bf11e392e89d0

    • SHA256

      6c4bf8dc2f2c1cccb9a2470f1610c11397fe168e55972eb0aaee7e77afd5d3d6

    • SHA512

      959c8a7f5ad8387200736043649c814ebd5948a25f0878d6d6cbb18396762959d13878a7002c2303abdab5a0fb54381aa3318529568717aff6c784a721d6abdf

    • SSDEEP

      12288:1qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TH:1qDEvCTbMWu7rQYlBQcBiT6rprG8abH

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      807ebe758087a724108a1ab37dc3c954e2cd8aff85c36a8b849f2fc62929e538.exe

    • Size

      2.8MB

    • MD5

      290a55c8e419a34d8bff94799c9b90e4

    • SHA1

      1725eaeda7281dd4853b68cd2a4870f06286a873

    • SHA256

      807ebe758087a724108a1ab37dc3c954e2cd8aff85c36a8b849f2fc62929e538

    • SHA512

      fe990fecfb5682543654c15a4d2ff80b7ec82de7f18a1903505e6627cbf4dfb1dd9f788453f3f0576deccded97523815a87664dffc5dc7090cc5cc97bc82395d

    • SSDEEP

      49152:Wk3HjrLjh6N+VDTcEi8Xrqgp1c+Fyz0Fo4A:H3DnjHBgEi87fp1cyyz8

    Score
    10/10
    lummadiscoveryevasionstealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      86abfdc3601520afa34d06dec50f9f71716cc6fde9fb3f47523454115cc894b3.exe

    • Size

      2.9MB

    • MD5

      084adace1c5bb891218281cb0825db8f

    • SHA1

      bb99a291c8e5205c618bb42d336145fc2c9602b4

    • SHA256

      86abfdc3601520afa34d06dec50f9f71716cc6fde9fb3f47523454115cc894b3

    • SHA512

      fc4841c750c452f702554f78d1eaa6c4b94b9a9fb7f32fdae23ccb76c4b7fdc50dce2b5aa6e128cc8860d7c6f8fad70b8557ca6ea52bee8b5cf079fc87b6baad

    • SSDEEP

      49152:te9oxuZ3loLZ0T2R9rOTj/J48nCLOT9yNS:taow3WLZ0TEasLOT9ys

    Score
    10/10
    lummadiscoveryevasionstealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      89463c1b87a5f32ab2ba59d536134516fa593c29bc0a6eda9e3da390d7f05ea6.exe

    • Size

      389KB

    • MD5

      47311da785a73a1d499f17e6e2e3f787

    • SHA1

      5bd74b1ea8a47b3c19b84030e131ccae444f1672

    • SHA256

      89463c1b87a5f32ab2ba59d536134516fa593c29bc0a6eda9e3da390d7f05ea6

    • SHA512

      dec6848db46c1055d740377b02bb835d8adf35a0552ec776ce3fce967cf7b459ca327945b7561543a63600c80cb842098f7365e7773495e4aff08a4bf7775c49

    • SSDEEP

      6144:DE+yclwQKjdn+WPtYVJIoBfT12EJdz1ByZ/kLY:DBdlwHRn+WlYV+ycCVzM/kLY

    Score
    4/10
    discovery
    behavioral27behavioral28

    • Target

      9bdc43df16cff6db219f2d3dd4a1e4b650262e73f98d2264926b90664942c187.ps1

    • Size

      446KB

    • MD5

      b5c90bb64c65c7dc4bb82301d04cb3a5

    • SHA1

      dc608bf3c1f20d5584a4c4fafc353e5569b6ac2b

    • SHA256

      9bdc43df16cff6db219f2d3dd4a1e4b650262e73f98d2264926b90664942c187

    • SHA512

      06154870d8c572c3687c6bdc44546c0642fde0d4554380a103712c2c8045b56743459af525e374acd6241b66c28c7102ebb101e786b08a725280384bcef6073c

    • SSDEEP

      3072:dqslZ+EZdDeUqAR2xEU2kwom+weekljaPC7b8fjEfxkBtXuVDLQ4:dq0+CdDeU/2xD2kxm+J5l14jEH

    Score
    10/10
    executionasyncratfoco-winpaxdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      9d11b8db730658666dad535182ea248063dd23966344d458250219652dc392e1.exe

    • Size

      1.9MB

    • MD5

      5b65fec5d9750b6bfd69ad989744dd4d

    • SHA1

      e00068ad05b9ee6fbfa2b6ae9b6a9cd183b6e385

    • SHA256

      9d11b8db730658666dad535182ea248063dd23966344d458250219652dc392e1

    • SHA512

      6b2c0dd93e7478cfa89ee6281a1e983939b5f79d98e23dc2181e40dff76e9b11bd959e34fa8cc562c2f7a777fe20caf3da91efd645fedf667ccf2492bfc5c5d4

    • SSDEEP

      49152:mnaJ9GBpn+ar7f7fDJqR9i8GWw/LLr6KP68:UaAhLJqRaD6a

    Score
    10/10
    amadeyfed3aadiscoveryevasiontrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

7
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

xwormchaos
Score
10/10

behavioral1

execution
Score
8/10

behavioral2

execution
Score
8/10

behavioral3

discoveryevasiontrojan
Score
10/10

behavioral4

discoveryevasiontrojan
Score
10/10

behavioral5

stealctaleevasionstealer
Score
10/10

behavioral6

stealctalediscoveryevasionstealer
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral10

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discoveryevasiontrojan
Score
10/10

behavioral14

discoveryevasiontrojan
Score
10/10

behavioral15

xwormexecutionpersistencerattrojan
Score
10/10

behavioral16

xwormexecutionpersistencerattrojan
Score
10/10

behavioral17

discovery
Score
7/10

behavioral18

lummadiscoverystealer
Score
10/10

behavioral19

amadey9c9aa5discoveryevasiontrojan
Score
10/10

behavioral20

amadey9c9aa5discoveryevasiontrojan
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

lummadiscoveryevasionstealer
Score
10/10

behavioral24

lummadiscoveryevasionstealer
Score
10/10

behavioral25

lummadiscoveryevasionstealer
Score
10/10

behavioral26

lummadiscoveryevasionstealer
Score
10/10

behavioral27

discovery
Score
4/10

behavioral28

discovery
Score
4/10

behavioral29

execution
Score
3/10

behavioral30

asyncratfoco-winpaxdiscoveryexecutionrat
Score
10/10

behavioral31

amadeyfed3aadiscoveryevasiontrojan
Score
10/10

behavioral32

amadeyfed3aadiscoveryevasiontrojan
Score
10/10