amadey

Sharing

General

Target

9163a6415086a2610be12ecce764a40cfff1ba9b46041a2c2160e3df89e2889a
Size

346KB
Sample

230415-12ebesfh66
MD5

c8af8a0bc620e98496146d18c2f79acc
SHA1

39844f50a4b853e749a4a05f5337676fc8ba74d2
SHA256

9163a6415086a2610be12ecce764a40cfff1ba9b46041a2c2160e3df89e2889a
SHA512

87c94dacd4bbefcda7d7f00c15fa7081727c22d6d4ec312221941d61817d5eadb92725491cb0c38ec36effee11803507e37d6576f72822ceceff5279e268d673
SSDEEP

6144:MJlzm6r0ELvk3qQLXETYToSNHr23qYYbe4:MJlm6wKk3qQLUT8ZNLqqYYq4

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

http://aapu.at/tmp/

http://poudineh.com/tmp/

rc4.i32

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

amadey

Version

3.70

77.73.134.27/n9kdjc3xSf/index.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.boty
offline_id
A5whrmSMRYQPLIwxS6XFix1PGn8lJ9uXUaipSat1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-eneUZ5ccES Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0688UIuhd

rsa_pubkey.plain

Extracted

Family

vidar

Version

3.4

Botnet

623db25256a5734d1207787d269d05b2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
623db25256a5734d1207787d269d05b2
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

- Target
  
  9163a6415086a2610be12ecce764a40cfff1ba9b46041a2c2160e3df89e2889a
- Size
  
  346KB
- MD5
  
  c8af8a0bc620e98496146d18c2f79acc
- SHA1
  
  39844f50a4b853e749a4a05f5337676fc8ba74d2
- SHA256
  
  9163a6415086a2610be12ecce764a40cfff1ba9b46041a2c2160e3df89e2889a
- SHA512
  
  87c94dacd4bbefcda7d7f00c15fa7081727c22d6d4ec312221941d61817d5eadb92725491cb0c38ec36effee11803507e37d6576f72822ceceff5279e268d673
- SSDEEP
  
  6144:MJlzm6r0ELvk3qQLXETYToSNHr23qYYbe4:MJlm6wKk3qQLUT8ZNLqqYYq4
Score

10^/10

amadey djvu laplas lumma smokeloader vidar 623db25256a5734d1207787d269d05b2 pub1 sprg backdoor clipper discovery evasion persistence ransomware spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies security service
  evasion
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1