Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-12-2024 09:04
General
-
Target
Fortnite Accounts Checker BY X-SLAYER.exe
-
Size
1.8MB
-
MD5
88ad4c9d421e7048ed4f7599b2fb7204
-
SHA1
41c238b67e3d16ee866cf652680ded68d52c3815
-
SHA256
86b1e6b0bc4305085793f8110d62411ce2880f3dc8501ccd35419db65dd854ef
-
SHA512
5cee89157ef54aa43fa2861631db5d4d2e97134d96ffbae4c03092aa352b816ebdf86be97acc3958ffd0d8fb5fd4340dfa3276958dd090505be0b791f0d67b31
-
SSDEEP
24576:HJTZtuky+rjj9tL8ZMEiDfWbcp+2dnTLcb24EgU1oeImW3:pM+YMEbC+2Vsjn
Malware Config
Extracted
amadey
5.10
0f3be6
http://185.81.68.147
http://185.81.68.148
-
install_dir
ee29ea508b
-
install_file
Gxtuum.exe
-
strings_key
d3a5912ea69ad34a2387af70c8be9e21
-
url_paths
/7vhfjke3/index.php
/8Fvu5jh4DbS/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Accounts Checker BY X-SLAYER.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Accounts Checker BY X-SLAYER.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\systemcc.exe"C:\Users\Admin\AppData\Roaming\systemcc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\systemaa.exe"C:\Users\Admin\AppData\Roaming\systemaa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"Launcher.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
997KB
MD5fd1f797282a1ae9e8460c1847d52612f
SHA18a21e43542e33648065ca0277197de84bb5521db
SHA256768e5ab33e6b7acabe738f5e3d30e51e8f2bd656ecdc089da388e128b80eb337
SHA51295f130671966f4dd4ea579d08aaa182a51b5de1c31b59148909c05e7d3103a19b511d7a9bef6451a921fcea2382aa9b8c3a560027882dc29a39f28c7d3a0572d
-
Filesize
431KB
MD54962575a2378d5c72e7a836ea766e2ad
SHA1549964178b12017622d3cbdda6dbfdef0904e7e2
SHA256eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
SHA512911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
-
Filesize
299KB
MD5357726e357f783847a5d3c1c21873ed1
SHA1f344bc21a0ab3e37a6fc7587fd761a5c0667dd60
SHA256dfd562f0737ac0a4e3cc10610a4746ad69091f735e485b668c8bf9526ac0bf46
SHA5125fc36c7b3883384f3e242c102be66ddbd68cd069ea1570f878f56a3e6cf03198ea3e1a791bca9091f2dbe3c394f47b18ff5b92e14a1d56b1f4654ada186a39dc
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
1.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB