General

  • Target

    73636685f823d103c54b30bc457c7f0d.exe

  • Size

    457KB

  • Sample

    250302-pg3mqsvlw5

  • MD5

    73636685f823d103c54b30bc457c7f0d

  • SHA1

    597dba03dce00cf6d30b082c80c8f9108ae90ccf

  • SHA256

    1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

  • SHA512

    183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

  • SSDEEP

    6144:P2ib1rFTRH6sf1kroyfIWjpTX335ilMSp01Hj6fGMWPsEY15sFBc9TT6N7AOs+OK:+ib1rFTRH6serb/p93j6fGMWP1N72h

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz

Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

213.209.150.137

Attributes
  • dns

    5.132.191.104

Targets

    • Target

      73636685f823d103c54b30bc457c7f0d.exe

    • Size

      457KB

    • MD5

      73636685f823d103c54b30bc457c7f0d

    • SHA1

      597dba03dce00cf6d30b082c80c8f9108ae90ccf

    • SHA256

      1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

    • SHA512

      183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

    • SSDEEP

      6144:P2ib1rFTRH6sf1kroyfIWjpTX335ilMSp01Hj6fGMWPsEY15sFBc9TT6N7AOs+OK:+ib1rFTRH6serb/p93j6fGMWP1N72h

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Systembc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks