amadey

Resubmissions

26-11-2023 09:21

231126-lbtk4agc89 10

26-11-2023 00:07

231126-aeeessdf63 10

Sharing

Copy URL

Twitter E-mail

General

Target

New Text Document.bin.zip
Size

1KB
Sample

231126-aeeessdf63
MD5

7b8cf745b6f7ff0759ce8b0f0094280a
SHA1

088cab8231706aa73e1b4c77caeed47fa9880f04
SHA256

5ba928131e9745c59c4d1f6884ca57cce9a2bfb6a94ca321531ca67852920f25
SHA512

fd5e3a59082b51429a22046a653276f98be7a4c2550c6084356740ef2978707cc1f1701b5cdb55276b2e264ca1d918f928eab7d465374b41818c0088170ffe12

Malware Config

Extracted

Family

bumblebee

Botnet

onkomsi2

Attributes

dga
n64c2akw.life

zefawfb0.life

dph3pby8.life

hx0hysyg.life

1qa3k743.life

luw8ubf2.life

rbvsf6io.life

4huoqrsp.life

8qwcvseh.life

37zi55wc.life

i9f44mju.life

aqnx9c9h.life

3nmeg5wa.life

r5ue5rok.life

et53yjoc.life

tvgco82h.life

0xtmu3tz.life

6xhpschv.life

6o26tws0.life

0oz7923s.life

54y2q50j.life

9hh7hq5r.life

r0ca080m.life

43vtghfz.life

qal55els.life

p5e68m36.life

x698iah6.life

kqn0zkig.life

wq6w8jkq.life

i6n08gx7.life

yykdmh0r.life

is45ipqt.life

btycmaq0.life

bei9dppm.life

3jhcm6ou.life

1q04n1r6.life

10ciy2hb.life

11ou1grl.life

83b0leyy.life

t31jn4t1.life

b24f19ne.life

igak9l9s.life

hkgd9kar.life

02uhomlq.life

zpy1vssg.life

j57fzy12.life

zmlly8xo.life

pe6r5tzc.life

cg4cuoyi.life

pyjijjlm.life

m3vc2ce4.life

p1p97dov.life

ep0kbvph.life

0rlxan4o.life

zdx0i18o.life

7kmzys39.life

e97igyz6.life

hjcbhzd8.life

az77sw77.life

d0k4fdaa.life

c9l8ri53.life

ay03u2te.life

t99iv15x.life

6a1fbhay.life

zna5lybe.life

vxyojl27.life

mddoknvi.life

2z2dl1og.life

vojg90l2.life

awr5omre.life

tcjcv520.life

aqjjchti.life

6qwim2j8.life

1p34o0do.life

8hxwl72r.life

wykpnxcx.life

o10qz4xe.life

7564a2mg.life

aiv8bb2b.life

jwyxm0f3.life

4soexc4m.life

3xqy6csn.life

3k8iq1nb.life

w2hje2t7.life

fra3xqrx.life

4r3inwrt.life

qhfoevow.life

a9nhflze.life

jpngew6a.life

baunjh6t.life

yqofro9q.life

uq034w07.life

oq36weoi.life

vv5sfo80.life

0req10rd.life

m4v4xq2f.life

1p24echu.life

ohwv1vpp.life

z2tp7x2v.life

q65io756.life
dga_seed
anjd78ka
domain_length
8
num_dga_domains
100
port
443

rc4.plain

Extracted

Family

risepro

194.49.94.152

Extracted

Family

xworm

Version

3.1

needforrat.hopto.org:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

needforrat.hopto.org:7772

Mutex

47b887645f4457386c0b55e0a170685a

Attributes

reg_key
47b887645f4457386c0b55e0a170685a
splitter
|'|'|

Extracted

Family

formbook

Version

4.1

Campaign

tb8i

Decoy

097jz.com

physium.net

sherwoodsubnet.com

scbaya.fun

us2048.top

danlclmn.com

starsyx.com

foxbox-digi.store

thefishermanhouse.com

salvanandcie.com

rykuruh.cfd

gelaoguan.net

petar-gojun.com

coandcompanyboutique.com

decentralizedcryptos.com

ecuajet.net

livbythebeach.com

cleaning-services-33235.bond

free-webbuilder.today

pussypower.net

Extracted

Family

netwire

127.0.0.1:3360

needforrat.hopto.org:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
TestLink.lnk
lock_executable
false
mutex
JjkhHVmd
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

quasar

Version

1.4.0

Botnet

Office05

needforrat.hopto.org:7771

Mutex

d70dba78-082d-4d62-9d71-b4a1c6961022

Attributes

encryption_key
110272D9471BA005C613D451E07D98ABB8403AED
install_name
Client1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Extracted

Family

stealc

http://raphaelbischoff.icu

http://finnmanninger.icu

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

amadey

Version

4.13

http://65.108.99.238

http://brodoyouevenlift.co.za

Attributes

strings_key
bda044f544861e32e95f5d49b3939bcc
url_paths
/yXNwKVfkS28Y/index.php

/g5ddWs/index.php

/pOVxaw24d/index.php

rc4.plain

Targets

- Target
  
  New Text Document.bin
- Size
  
  4KB
- MD5
  
  a239a27c2169af388d4f5be6b52f272c
- SHA1
  
  0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
- SHA256
  
  98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
- SHA512
  
  f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
- SSDEEP
  
  48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Score

10^/10

amadey bumblebee dcrat formbook glupteba netwire njrat privateloader quasar risepro smokeloader stealc xworm hacked office05 onkomsi2 up3 tb8i backdoor botnet dropper evasion infostealer loader persistence rat spyware stealer themida trojan upx discovery vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Detect Xworm Payload
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Formbook payload
  rat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3