General

  • Target

    b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe

  • Size

    452KB

  • Sample

    250308-pvdkrsxlv9

  • MD5

    a9749ee52eefb0fd48a66527095354bb

  • SHA1

    78170bcc54e1f774528dea3118b50ffc46064fe0

  • SHA256

    b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

  • SHA512

    9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

  • SSDEEP

    12288:Rib1rFTRH6serb/p93j6fGMWP1N72h8xp:IH659m+Mk1YW

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz

Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain
1
bf11e9eb444cca0553e5dc41fdf05974

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

Attributes
  • dns

    5.132.191.104

Targets

    • Target

      b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe

    • Size

      452KB

    • MD5

      a9749ee52eefb0fd48a66527095354bb

    • SHA1

      78170bcc54e1f774528dea3118b50ffc46064fe0

    • SHA256

      b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

    • SHA512

      9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

    • SSDEEP

      12288:Rib1rFTRH6serb/p93j6fGMWP1N72h8xp:IH659m+Mk1YW

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Systembc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.