Overview

overview

10

Static

static

3

21745e1b35...04.exe

windows7-x64

10

21745e1b35...04.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21745e1b35d8b4650dedcd3ee95c7004.exe

  • Size

    2.0MB

  • Sample

    250214-hjjjbawkcr

  • MD5

    21745e1b35d8b4650dedcd3ee95c7004

  • SHA1

    468da12d40f653e0a294592fd79784959633fe2b

  • SHA256

    00f17690a2eb58bddfc6a0f11c532590f2f44a476a0157cdcb9c52c5dc35c15d

  • SHA512

    9a3a91d63b8de8b2e2b71fed9326fe9cae6537cf51e7f4ddb419d004c003567bbc2439b3f9b411feb02f0da3e585e307ce1e606c78bfef52c3037566710a4d23

  • SSDEEP

    49152:uYLUah84Hxl2gtrNozvXpa15lL+HkGqjJx1EVh1z:uYLUa5Rl2Jzsl6HVqj31UH

Score
10/10
amadeypovertystealerxorist9c9aa5defense_evasiondiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Path

C:\Program Files\7-Zip\Lang\HOW TO DECRYPT FILES.txt

Ransom Note
YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 677DD06ED071E4B557FF3D9236ACD21AFECBA485C6643AB84F766060B967DC6E0CFC34DDD9A0 Subject : SYSTEM-LOCKED-ID: 90890423 Payment 10 000$ BTC
URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Targets

    • Target

      21745e1b35d8b4650dedcd3ee95c7004.exe

    • Size

      2.0MB

    • MD5

      21745e1b35d8b4650dedcd3ee95c7004

    • SHA1

      468da12d40f653e0a294592fd79784959633fe2b

    • SHA256

      00f17690a2eb58bddfc6a0f11c532590f2f44a476a0157cdcb9c52c5dc35c15d

    • SHA512

      9a3a91d63b8de8b2e2b71fed9326fe9cae6537cf51e7f4ddb419d004c003567bbc2439b3f9b411feb02f0da3e585e307ce1e606c78bfef52c3037566710a4d23

    • SSDEEP

      49152:uYLUah84Hxl2gtrNozvXpa15lL+HkGqjJx1EVh1z:uYLUa5Rl2Jzsl6HVqj31UH

    Score
    10/10
    amadeypovertystealer9c9aa5defense_evasiondiscoveryspywarestealertrojanxoristpersistenceransomwareupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Detect Poverty Stealer Payload

    • Detected Xorist Ransomware

    • Poverty Stealer

      Poverty Stealer is a crypto and infostealer written in C++.

      stealerpovertystealer

    • Povertystealer family

      povertystealer

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Renames multiple (4633) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Tasks