amadey

Sharing

Copy URL

Twitter E-mail

General

Target

011cf2c9ebe5cca6f57a11ea43c38395cdbb4fedee0932d1807ed46df4a3a81f
Size

352KB
Sample

230415-rx4wvafh7t
MD5

59be800c03b2fbdcff33c3c5df14a42a
SHA1

b3a772c40654fcfc2f41746274246582c7c23c48
SHA256

011cf2c9ebe5cca6f57a11ea43c38395cdbb4fedee0932d1807ed46df4a3a81f
SHA512

fb0f2a63da4e7911ee3ae861e35fdb5628394c772d68d1d6dd398a9c1c4cd6f689e8c4708f4cbfecd7a55ac6d381a854ee02aec7df68390d29124af8d666a112
SSDEEP

6144:BdpCMiQcOPRk+1LcVpPqjHkbSzMnmhO+we4:BdD/cOZk+1LcDPqbk49hO+t4

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.boty
offline_id
A5whrmSMRYQPLIwxS6XFix1PGn8lJ9uXUaipSat1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-eneUZ5ccES Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0688UIuhd

rsa_pubkey.plain

Extracted

Family

amadey

Version

3.70

77.73.134.27/n9kdjc3xSf/index.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

vidar

Version

3.4

Botnet

623db25256a5734d1207787d269d05b2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
623db25256a5734d1207787d269d05b2
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

- Target
  
  011cf2c9ebe5cca6f57a11ea43c38395cdbb4fedee0932d1807ed46df4a3a81f
- Size
  
  352KB
- MD5
  
  59be800c03b2fbdcff33c3c5df14a42a
- SHA1
  
  b3a772c40654fcfc2f41746274246582c7c23c48
- SHA256
  
  011cf2c9ebe5cca6f57a11ea43c38395cdbb4fedee0932d1807ed46df4a3a81f
- SHA512
  
  fb0f2a63da4e7911ee3ae861e35fdb5628394c772d68d1d6dd398a9c1c4cd6f689e8c4708f4cbfecd7a55ac6d381a854ee02aec7df68390d29124af8d666a112
- SSDEEP
  
  6144:BdpCMiQcOPRk+1LcVpPqjHkbSzMnmhO+we4:BdD/cOZk+1LcDPqbk49hO+t4
Score

10^/10

amadey djvu laplas redline sectoprat smokeloader vidar 623db25256a5734d1207787d269d05b2 pub1 sprg backdoor clipper discovery evasion infostealer persistence ransomware rat spyware stealer trojan upx vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1