amadey

Sharing

Copy URL

Twitter E-mail

General

Target

e1f6a31a7554fd1daa8017d467ebc61e5ddd1f2df0c7eaa3946d344eef92a226
Size

347KB
Sample

230416-hcamtshc64
MD5

c33f4e1fee004fa656d7847a74f1f0bf
SHA1

e08e9ed30b5d6dd7ee68cf80abb3758ff7c7534a
SHA256

e1f6a31a7554fd1daa8017d467ebc61e5ddd1f2df0c7eaa3946d344eef92a226
SHA512

fc19cb00cdb22503fc4c6c0d504085d06c1c0639892be2a5141074d71e8ca1e39f0514a8c08e838e0f6e7749c8283fb53c3f7255463c76c2df83cf1df9220986
SSDEEP

6144:J1G2rIk23Kh2fUYHcttKvOKjyYuSM4kEREbe4:J17rXdh2fUY8tKjuSdpREq4

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

http://aapu.at/tmp/

http://poudineh.com/tmp/

rc4.i32

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

3.70

77.73.134.27/n9kdjc3xSf/index.php

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.boty
offline_id
A5whrmSMRYQPLIwxS6XFix1PGn8lJ9uXUaipSat1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-eneUZ5ccES Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0688UIuhd

rsa_pubkey.plain

Extracted

Family

vidar

Version

3.4

Botnet

623db25256a5734d1207787d269d05b2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
623db25256a5734d1207787d269d05b2
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

- Target
  
  e1f6a31a7554fd1daa8017d467ebc61e5ddd1f2df0c7eaa3946d344eef92a226
- Size
  
  347KB
- MD5
  
  c33f4e1fee004fa656d7847a74f1f0bf
- SHA1
  
  e08e9ed30b5d6dd7ee68cf80abb3758ff7c7534a
- SHA256
  
  e1f6a31a7554fd1daa8017d467ebc61e5ddd1f2df0c7eaa3946d344eef92a226
- SHA512
  
  fc19cb00cdb22503fc4c6c0d504085d06c1c0639892be2a5141074d71e8ca1e39f0514a8c08e838e0f6e7749c8283fb53c3f7255463c76c2df83cf1df9220986
- SSDEEP
  
  6144:J1G2rIk23Kh2fUYHcttKvOKjyYuSM4kEREbe4:J17rXdh2fUY8tKjuSdpREq4
Score

10^/10

amadey djvu laplas lumma smokeloader vidar 623db25256a5734d1207787d269d05b2 pub1 sprg backdoor clipper collection discovery evasion persistence ransomware spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies security service
  evasion
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1