General
-
Target
random.exe
-
Size
5.6MB
-
Sample
250316-rslvgaszdx
-
MD5
f0cad0627e4b852e7ce633df29855373
-
SHA1
3187e3016d889fdcb5f3c38cc19c1dac27163fe4
-
SHA256
e7b933849e850c1778c1378c7a5d07df318d86f7b3ee6257885b768fa81f685c
-
SHA512
c121d9a4d2ced148ac422e193096e7596c8270c662065b9f16efe4ec4ccc1552b44ad92511246fdde7fed55fbb53c178a5da28a84533707a907084c25ad9c615
-
SSDEEP
98304:6zd9u3jgDjebrGE5pd8PY22ImKYMFCqgupRERune9rmqy3kG/TQ8swX+hh/YG6GR:0dMgebrREbJPYIpKcneY13LTQf6+hVYM
Static task
static1
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://citydisco.bet/api
https://crosshairc.life/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://4htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://weaponrywo.digital/api
https://begindecafer.world/api
https://9garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://ksterpickced.digital/api
https://loadoutle.life/api
https://caliberc.today/api
https://pistolpra.bet/api
https://weaponwo.life/api
https://armamenti.world/api
https://selfdefens.bet/api
https://targett.top/api
https://armoryarch.shop/api
https://fblackeblast.run/api
https://kbracketba.shop/api
https://featureccus.shop/api
https://htardwarehu.icu/api
https://latchclan.shop/api
https://zfurrycomp.top/api
https://8cjlaspcorne.icu/api
https://adweaponrywo.digital/api
https://.cocjkoonpillow.today/api
https://zfeatureccus.shop/api
https://yhtardwarehu.icu/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Targets
-
-
Target
random.exe
-
Size
5.6MB
-
MD5
f0cad0627e4b852e7ce633df29855373
-
SHA1
3187e3016d889fdcb5f3c38cc19c1dac27163fe4
-
SHA256
e7b933849e850c1778c1378c7a5d07df318d86f7b3ee6257885b768fa81f685c
-
SHA512
c121d9a4d2ced148ac422e193096e7596c8270c662065b9f16efe4ec4ccc1552b44ad92511246fdde7fed55fbb53c178a5da28a84533707a907084c25ad9c615
-
SSDEEP
98304:6zd9u3jgDjebrGE5pd8PY22ImKYMFCqgupRERune9rmqy3kG/TQ8swX+hh/YG6GR:0dMgebrREbJPYIpKcneY13LTQf6+hVYM
-
Amadey family
-
Detects Healer an antivirus disabler dropper
-
Gcleaner family
-
Healer family
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
6Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5