amadey

Sharing

Copy URL

Twitter E-mail

General

Target

c3650ffb41f2a9cf3f42b9ab1a26e0f2859d5453cad93637280b71ae014a8504
Size

347KB
Sample

230416-kfhhysbb6x
MD5

678a12418820942eaa347890faa4fb6e
SHA1

72fb40d1eb64c3a61acb6631742871168a088b69
SHA256

c3650ffb41f2a9cf3f42b9ab1a26e0f2859d5453cad93637280b71ae014a8504
SHA512

771e3e80c3311eb750d3a88c8f6000f32da979653f4e837d30bf967cef074a48f7fa2ba4241cd75fd1826b116bb1c93eec9e27a9b909689c1ed398525245f9c0
SSDEEP

6144:wvzth0VeyW663ezyOGOT7xI6BPv44Ft10OBGUR:wvZhmE663ezTGBw44P10OBGU

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

http://aapu.at/tmp/

http://poudineh.com/tmp/

rc4.i32

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

amadey

Version

3.70

77.73.134.27/n9kdjc3xSf/index.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.boty
offline_id
A5whrmSMRYQPLIwxS6XFix1PGn8lJ9uXUaipSat1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-eneUZ5ccES Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0688UIuhd

rsa_pubkey.plain

Extracted

Family

vidar

Version

3.4

Botnet

623db25256a5734d1207787d269d05b2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes

profile_id_v2
623db25256a5734d1207787d269d05b2
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Targets

- Target
  
  c3650ffb41f2a9cf3f42b9ab1a26e0f2859d5453cad93637280b71ae014a8504
- Size
  
  347KB
- MD5
  
  678a12418820942eaa347890faa4fb6e
- SHA1
  
  72fb40d1eb64c3a61acb6631742871168a088b69
- SHA256
  
  c3650ffb41f2a9cf3f42b9ab1a26e0f2859d5453cad93637280b71ae014a8504
- SHA512
  
  771e3e80c3311eb750d3a88c8f6000f32da979653f4e837d30bf967cef074a48f7fa2ba4241cd75fd1826b116bb1c93eec9e27a9b909689c1ed398525245f9c0
- SSDEEP
  
  6144:wvzth0VeyW663ezyOGOT7xI6BPv44Ft10OBGUR:wvZhmE663ezTGBw44P10OBGU
Score

10^/10

amadey djvu laplas lumma rhadamanthys smokeloader vidar 623db25256a5734d1207787d269d05b2 pub1 sprg backdoor clipper collection discovery evasion persistence ransomware spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Laplas Clipper
  Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
  stealer clipper laplas
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies security service
  evasion
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1