amadey

Sharing

Copy URL

Twitter E-mail

General

Target

money generator.dat
Size

6KB
Sample

230511-a76praah88
MD5

7487dc64d989f425e6f9423ea010a0cb
SHA1

1589c6f4b75968ccd77d4929272d619cdd22b491
SHA256

482a4cf3eb221445e7d2b45dff43b565d6c203170313f0fad30aa920f61747ad
SHA512

0f83aea200ad6b6a4a268abc793000445202388057afdf76db8d3cf4f9b15f95a13af4edb8d96f12574ca773c626224703293afd6447c84dc172558b7bf305ee
SSDEEP

96:NAuz8uzSluz+U2gJahPiDHrtedYfzJ0pkuw5bzNt:yzdlk2xhPiLRedYtokD9

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Family

systembc

148.251.236.201:443

Extracted

Family

redline

Botnet

cheat

194.87.151.202:9578

Extracted

Family

lokibot

http://208.67.105.148/ok/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

redline

Botnet

06.05 youtube

23.226.129.17:20619

Attributes

auth_value
21645ccdf8187508e3b133b1d80a162e

Extracted

Family

redline

Botnet

mixa

185.161.248.75:4132

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Targets

- Target
  
  money generator.dat
- Size
  
  6KB
- MD5
  
  7487dc64d989f425e6f9423ea010a0cb
- SHA1
  
  1589c6f4b75968ccd77d4929272d619cdd22b491
- SHA256
  
  482a4cf3eb221445e7d2b45dff43b565d6c203170313f0fad30aa920f61747ad
- SHA512
  
  0f83aea200ad6b6a4a268abc793000445202388057afdf76db8d3cf4f9b15f95a13af4edb8d96f12574ca773c626224703293afd6447c84dc172558b7bf305ee
- SSDEEP
  
  96:NAuz8uzSluz+U2gJahPiDHrtedYfzJ0pkuw5bzNt:yzdlk2xhPiLRedYtokD9
Score

10^/10

amadey gh0strat lokibot redline sectoprat stormkitty systembc xmrig 06.05 youtube cheat lux3 mixa evasion infostealer miner persistence ransomware rat spyware stealer trojan upx vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- XMRig Miner payload
  miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2