amadey

General

Target

a.exe
Size

5KB
Sample

230908-1tmmtsff28
MD5

fd3f7d8082b7cddb0e20ad1e8fd5d285
SHA1

ff51a1c5cab13afe0178163b2b9d60e49c799b74
SHA256

7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9
SHA512

166a2e743346bd5016b36278fb4bae0a96f86ce920ebae777baada95be887b679f5360de914c0563828dc2eadf2c091564c9f5cb05de32bd7f3b252a6f53deaa
SSDEEP

48:6AtGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/IL/cpwOulavTqXSfbNtm:RIUiqtaJkeqDUtfcpmsvNzNt

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://80.66.79.27/o.png

Extracted

Family

aurora

C2

212.87.204.93:8081

Extracted

Family

statusrecorder

C2

185.106.94.73

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Targets

- Target
  
  a.exe
- Size
  
  5KB
- MD5
  
  fd3f7d8082b7cddb0e20ad1e8fd5d285
- SHA1
  
  ff51a1c5cab13afe0178163b2b9d60e49c799b74
- SHA256
  
  7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9
- SHA512
  
  166a2e743346bd5016b36278fb4bae0a96f86ce920ebae777baada95be887b679f5360de914c0563828dc2eadf2c091564c9f5cb05de32bd7f3b252a6f53deaa
- SSDEEP
  
  48:6AtGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/IL/cpwOulavTqXSfbNtm:RIUiqtaJkeqDUtfcpmsvNzNt
Score

10^/10

amadey aurora dcrat djvu formbook gurcu healer phemedrone redline statusrecorder sy22 discovery dropper evasion infostealer pyinstaller ransomware rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Gurcu Stealer V3 payload
- Detects Healer an antivirus disabler dropper
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Status Recorder Stealer
  Status Recorder is a crypto stealer written in C++.
  stealer statusrecorder
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Formbook payload
  rat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1