amadey

Sharing

General

Target

40246056c4d8b6d35692820060f134d04f66759f710df8353a8b4419d49efe8a
Size

351KB
Sample

230414-qwjnvaaa84
MD5

cd77a11838315da5ab689d51dfe20c68
SHA1

3d40646e3f355e5a22be769a579eb638e12b8dc8
SHA256

40246056c4d8b6d35692820060f134d04f66759f710df8353a8b4419d49efe8a
SHA512

158b4180d840a77e11242584a0ceea0514da5f8315c5d83b9d398938d66e6905ee4980f622c37b258cd33bf382e17cbc6bb4fb1f4b754c2ec3571a8db1a2caee
SSDEEP

6144:zXRaTsSjuyA+UiRXfO1vyATu7sTqD3XTbbkP34t:zXQT/uy9UiRvO162QXbkP

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.boty
offline_id
A5whrmSMRYQPLIwxS6XFix1PGn8lJ9uXUaipSat1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-eneUZ5ccES Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0688UIuhd

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

3.70

77.73.134.27/n9kdjc3xSf/index.php

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

vidar

Version

3.4

Botnet

623db25256a5734d1207787d269d05b2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
623db25256a5734d1207787d269d05b2
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

- Target
  
  40246056c4d8b6d35692820060f134d04f66759f710df8353a8b4419d49efe8a
- Size
  
  351KB
- MD5
  
  cd77a11838315da5ab689d51dfe20c68
- SHA1
  
  3d40646e3f355e5a22be769a579eb638e12b8dc8
- SHA256
  
  40246056c4d8b6d35692820060f134d04f66759f710df8353a8b4419d49efe8a
- SHA512
  
  158b4180d840a77e11242584a0ceea0514da5f8315c5d83b9d398938d66e6905ee4980f622c37b258cd33bf382e17cbc6bb4fb1f4b754c2ec3571a8db1a2caee
- SSDEEP
  
  6144:zXRaTsSjuyA+UiRXfO1vyATu7sTqD3XTbbkP34t:zXQT/uy9UiRvO162QXbkP
Score

10^/10

amadey djvu laplas smokeloader vidar 623db25256a5734d1207787d269d05b2 pub1 sprg backdoor clipper collection discovery evasion persistence ransomware spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Modifies security service
  evasion
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1