Description
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
General
Target
Size
Sample
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
9MB
220523-b8rgwsbdh8
Score
10/10
MD5
SHA1
SHA256
SHA512
93e23e5bed552c0500856641d19729a8
7e14cdf808dcd21d766a4054935c87c89c037445
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff
Malware Config
Extracted
| Family | socelars |
| C2 |
http://www.iyiqian.com/ http://www.xxhufdc.top/ http://www.uefhkice.xyz/ http://www.znsjis.top/ |
Extracted
| Family | redline |
| Botnet | UDP |
| C2 |
45.9.20.20:13441 |
Extracted
| Family | smokeloader |
| Version | 2020 |
| C2 |
http://govsurplusstore.com/upload/ http://best-forsale.com/upload/ http://chmxnautoparts.com/upload/ http://kwazone.com/upload/ http://monsutiur4.com/ http://nusurionuy5ff.at/ http://moroitomo4.net/ http://susuerulianita1.net/ http://cucumbetuturel4.com/ http://nunuslushau.com/ http://linislominyt11.at/ http://luxulixionus.net/ http://lilisjjoer44.com/ http://nikogminut88.at/ http://limo00ruling.org/ http://mini55tunul.com/ http://samnutu11nuli.com/ http://nikogkojam.org/ |
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
| rc4.i32 |
|
Extracted
| Family | metasploit |
| Version | windows/single_exec |
Extracted
| Family | redline |
| Botnet | Ruzki |
| C2 |
193.233.48.58:38989 |
| Attributes |
auth_value 80c38cc7772c328c028b0e4f42a3fac6 |
Extracted
| Family | redline |
| Botnet | meta1 |
| C2 |
193.106.191.182:23196 |
| Attributes |
auth_value 9a16ce2cecb89012977449117f5e8d58 |
Extracted
| Family | djvu |
| C2 |
http://ugll.org/test3/get.php |
| Attributes |
extension .fefg
offline_id eBNgvyGQV1Hmt9DBdxVRs8qPi1agsS7OaohPmit1
payload_url http://zerit.top/dl/build2.exe http://ugll.org/files/1/build3.exe
ransomnote ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-j3AdKrnQie
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
admin@helpdata.top
Reserve e-mail address to contact us:
supportsys@airmail.cc
Your personal ID:
0482JIjdm |
| rsa_pubkey.plain |
|
Extracted
| Family | amadey |
| Version | 3.10 |
| C2 |
185.215.113.38/f8dfksdj3/index.php |
Extracted
| Family | redline |
| Botnet | penus |
| C2 |
2.56.57.165:1950 |
| Attributes |
auth_value af8fd03376adf1e7ee26e35b50422e77 |
Extracted
| Family | vidar |
| Version | 52.2 |
| Botnet | 937 |
| C2 |
https://t.me/netflixaccsfree https://mastodon.social/@ronxik12 |
| Attributes |
profile_id 937 |
Extracted
| Family | redline |
| Botnet | ruzki |
| C2 |
185.215.113.85:10018 |
| Attributes |
auth_value 665880cf53f5187ff0e3d12b56218683 |
Targets
Target
MD5
Filesize
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
93e23e5bed552c0500856641d19729a8
9MB
Score
10/10
SHA1
SHA256
SHA512
7e14cdf808dcd21d766a4054935c87c89c037445
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff
Tags
Signatures
-
Amadey
-
Detected Djvu ransomware
-
Djvu Ransomware
Description
Ransomware which is a variant of the STOP family.
Tags
-
FFDroider
Description
Stealer targeting social media platform users first seen in April 2022.
Tags
-
FFDroider Payload
-
Glupteba
Description
Glupteba is a modular loader written in Golang with various components.
Tags
-
Glupteba Payload
-
MetaSploit
Description
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
Tags
-
Modifies Windows Defender Real-time Protection settings
Tags
TTPs
-
OnlyLogger
Description
A tiny loader that uses IPLogger to get its payload.
Tags
-
Process spawned unexpected child process
Description
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
RedLine Payload
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Socelars
Description
Socelars is an infostealer targeting browser cookies and credit card credentials.
Tags
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
suricata: ET MALWARE Amadey CnC Check-In
Description
suricata: ET MALWARE Amadey CnC Check-In
Tags
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Description
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Tags
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
Description
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
Tags
-
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
Description
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
Tags
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Description
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Tags
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Description
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Tags
-
OnlyLogger Payload
-
Vidar Stealer
Tags
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
UPX packed file
Description
Detects executables packed with UPX/modified UPX open source packer.
Tags
-
VMProtect packed file
Description
Detects executables packed with VMProtect commercial packer.
Tags
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Loads dropped DLL
-
Modifies file permissions
Tags
TTPs
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Checks whether UAC is enabled
Tags
TTPs
-
Legitimate hosting services abused for malware hosting/C2
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Description
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation
Tasks
static1
Score
N/A
behavioral1
Score
10/10
behavioral2
Score
10/10