General

  • Target

    random (5).exe

  • Size

    429KB

  • Sample

    250302-btzjysyzes

  • MD5

    a92d6465d69430b38cbc16bf1c6a7210

  • SHA1

    421fadebee484c9d19b9cb18faf3b0f5d9b7a554

  • SHA256

    3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

  • SHA512

    0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

  • SSDEEP

    6144:Q/RCey1AxsmF1cQxQ3KcTN3Wz40v1fwb6prdotQ6g0MQYSE2/H9yQ+iT5gc7AOOp:Q/RCey1AxsmUQ63NmjyQ6g0MQYZc7Kb

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.index.hu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cytyheca

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mx.abcnetworkingu.pl
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    db6rqz73oB

Extracted

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    ma.medias.ne.jp
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    terry333

Extracted

Family

systembc

C2

towerbingobongoboom.com

213.209.150.137

Attributes
  • dns

    5.132.191.104

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Targets

    • Target

      random (5).exe

    • Size

      429KB

    • MD5

      a92d6465d69430b38cbc16bf1c6a7210

    • SHA1

      421fadebee484c9d19b9cb18faf3b0f5d9b7a554

    • SHA256

      3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

    • SHA512

      0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

    • SSDEEP

      6144:Q/RCey1AxsmF1cQxQ3KcTN3Wz40v1fwb6prdotQ6g0MQYSE2/H9yQ+iT5gc7AOOp:Q/RCey1AxsmUQ63NmjyQ6g0MQYZc7Kb

    • Detects Healer an antivirus disabler dropper

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender DisableAntiSpyware settings

    • Modifies Windows Defender Real-time Protection settings

    • Modifies Windows Defender TamperProtection settings

    • Modifies Windows Defender notification settings

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Systembc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Contacts a large (809) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks