Overview

overview

10

Static

static

10

1edc123e5a...1c.exe

windows7-x64

10

1edc123e5a...1c.exe

windows10-2004-x64

10

215a9d6110...dd.exe

windows7-x64

7

215a9d6110...dd.exe

windows10-2004-x64

7

351e31a389...15.exe

windows7-x64

10

351e31a389...15.exe

windows10-2004-x64

10

7c711ab33a...07.exe

windows7-x64

8

7c711ab33a...07.exe

windows10-2004-x64

10

a6b647b495...2a.exe

windows7-x64

3

a6b647b495...2a.exe

windows10-2004-x64

3

d521f17349...54.exe

windows7-x64

10

d521f17349...54.exe

windows10-2004-x64

10

df468fc510...a2.exe

windows7-x64

10

df468fc510...a2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    quarantine.rar

  • Size

    13.8MB

  • Sample

    250306-a7qzastvhz

  • MD5

    f1878dd5e0d6afd4975d879233358f30

  • SHA1

    6cb4542a5ed8e0ab30fc6ca86af04036400fd029

  • SHA256

    f50137e69eab731be6ac6e16fe5f5ce536d64b8e5d3786f7a68c6b4a7afc3940

  • SHA512

    895974447bda698a5a613b22572a757058e8d7cc23e90347b3c3043a5c10645334a7a576366af2cfacff450b184c848903f501711193b51d9c15d4bae3684a7c

  • SSDEEP

    393216:Iq44AjNZutA0JuCa6R7PE7HPu8UBVOmSvvRoO/Jcac:i7KlBaIPE7v8YRyDac

Score
10/10
amadeylitehttpstealcsystembcxmriga4d2cdlogsdillerbotcredential_accessdefense_evasiondiscoveryexecutionminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

�ai^����c��9�q|&)��Õv.

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

stealc

Botnet

LogsDiller

C2

http://185.201.252.32

Attributes
  • url_path

    /2b24dfd684cad6a9.php

Targets

    • Target

      1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c.bin

    • Size

      457KB

    • MD5

      73636685f823d103c54b30bc457c7f0d

    • SHA1

      597dba03dce00cf6d30b082c80c8f9108ae90ccf

    • SHA256

      1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

    • SHA512

      183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

    • SSDEEP

      6144:P2ib1rFTRH6sf1kroyfIWjpTX335ilMSp01Hj6fGMWPsEY15sFBc9TT6N7AOs+OK:+ib1rFTRH6serb/p93j6fGMWP1N72h

    Score
    10/10
    amadeya4d2cddiscoverytrojansystembcdefense_evasion

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd.bin

    • Size

      11.5MB

    • MD5

      9da08b49cdcc4a84b4a722d1006c2af8

    • SHA1

      7b5af0630b89bd2a19ae32aea30343330ca3a9eb

    • SHA256

      215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

    • SHA512

      579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

    • SSDEEP

      196608:NRH/Vl0DXI3mvb/c1J26DfXKGvsFhsktW5Ql503UenCYzCIBetGgiPwKOhcb:NN0DXimj/GFktFl50EEza+Pnx

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

    • Target

      351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815.bin

    • Size

      250KB

    • MD5

      3ccb5afab36b450f14e0bd1ad499acaa

    • SHA1

      e914392588697b04911a90343369d6a47bd7077e

    • SHA256

      351e31a389d6b59faf9842f34bbc27bab411ad796e187b98fb5c59361346a815

    • SHA512

      4f69a548a7e83182611568a999dd3a6873cc29f7ee438d84abb16c718b68edc6a69a9ba43b3750cafaf671e269a3926f42a04ca0c42acb0a66d24ae5a499ac97

    • SSDEEP

      6144:n+CipeWYD8I/QWAL0Vs/BiEq/yGmmR8GL3QNggnrP:+VefDLITx83yY9L3xo

    Score
    10/10
    stealclogsdillercredential_accessdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207.bin

    • Size

      120KB

    • MD5

      5b3ed060facb9d57d8d0539084686870

    • SHA1

      9cae8c44e44605d02902c29519ea4700b4906c76

    • SHA256

      7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

    • SHA512

      6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

    • SSDEEP

      3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPQT:pt5hBPi0BW69hd1MMdxPe9N9uA069TB6

    Score
    10/10
    executionxmrigdiscoveryminer

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a.bin

    • Size

      494KB

    • MD5

      434f706017b7f673ed5586f1470d7d28

    • SHA1

      f431be69eab7bec0c1752f54977e32fd60278617

    • SHA256

      a6b647b49538fe599002c116ee5cd79c7e2d472cb48b24b1dfcf9a2718088c2a

    • SHA512

      d019cb403225f85f5344fb94da6257b216baa5b66000821a0357b03db9da555e51a6cfad576570bfc62f0db8077d92af9793843d48b0e1045ede79e14c4222d7

    • SSDEEP

      12288:Q5p1UZ32H10rH5ZVZEsh8ZskmY5a4JNXuOwhDC/K:Q5pOZGHOrH5RLG64JNXQ1Q

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454.bin

    • Size

      1.6MB

    • MD5

      1dc908064451d5d79018241cea28bc2f

    • SHA1

      f0d9a7d23603e9dd3974ab15400f5ad3938d657a

    • SHA256

      d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454

    • SHA512

      6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

    • SSDEEP

      49152:Uq8Z+aOhmX72hf7OqockKkGYR7SGmUNmzKZg:sAaEhhyJcjkdNmeZg

    Score
    10/10
    systembcdefense_evasiondiscoverytrojan

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Systembc family

      systembc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2.bin

    • Size

      48KB

    • MD5

      d39df45e0030e02f7e5035386244a523

    • SHA1

      9ae72545a0b6004cdab34f56031dc1c8aa146cc9

    • SHA256

      df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

    • SHA512

      69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

    • SSDEEP

      768:RRMOTuQwOYZiyYcpbEzlwF2g9ap4nLBFvpzbHyV6N55IHFKSu87W78aETvqtnqUg:7MOiQwOYZEcKzlwb9u4nLbvpzLy0N55q

    Score
    10/10
    litehttpbotexecutionpersistencestealer

    • LiteHTTP

      LiteHTTP is an open-source bot written in C#.

      stealerbotlitehttp

    • Litehttp family

      litehttp

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

7
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks