amadey

Sharing

Copy URL

Twitter E-mail

General

Target

4363463463464363463463463.bin.zip
Size

4KB
Sample

231227-g3xdvaghgl
MD5

6b28b9cf0154ec6cb4f9621b5f4e0824
SHA1

aa7343e7f08b816805f99ac16de8e95f1df29925
SHA256

75aaf15409cca4ff0c2dd844f68e9ac05b8e47f5ce46a4c94f60f518e6ea53cf
SHA512

a046e68ebb9dbe589b6ae1e36e72bac1096bddb3bbec58194c1e9d79307895614e51a0fd651a6aaed2e3b4480bef62e6beecd421d02f342c2bc76a91177df649
SSDEEP

96:uLeb/6iIz3SS14lsPQlTQmC0SsueFTNXtlp7idGOv/+h1q:bb/FIzd1eEyhNdb7is0/+nq

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0840ASdw

rsa_pubkey.plain

Extracted

Family

lumma

http://soupinterestoe.fun/api

Extracted

Family

metasploit

Version

windows/reverse_tcp

193.117.208.148:7800

Extracted

Family

guloader

http://www.mountveederwines.com/a1/bin_encrypted_C58FF9F.bin

xor.base64

Extracted

Family

redline

Botnet

inst

194.50.153.173:24496

Attributes

auth_value
2a80a65ebb5123b2992638cb5ce3df56

Extracted

Family

metasploit

Version

windows/reverse_http

http://5.148.32.222:8443/A56WY

http://193.117.208.148:7800/7bnN3Shf4KLzpvKnlvobIgNqpSWNXCMQMVqyVSViS7vMVf1iAKbd2nCHvw3oPEvMCHZK-l4GsYtJANxJbyE5eZKBElDNR1ZWi_gAl7db

Extracted

Family

redline

Botnet

new

52.91.10.228:9891

Extracted

Family

xworm

Version

5.0

canadian-perspectives.gl.at.ply.gg:33203

Mutex

TLsk4Xp0P8GNpwQw

Attributes

Install_directory
%AppData%
install_file
msedge.exe

aes.plain

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Credentials

Protocol: ftp
Host:
162.248.54.77
Port:
21
Username:
appftp
Password:
$ftp365284$

Targets

- Target
  
  4363463463464363463463463.bin
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

dcrat djvu lumma smokeloader lab backdoor bootkit discovery evasion infostealer persistence ransomware rat spyware stealer trojan upx gh0strat guloader metasploit redline sectoprat xmrig xworm ytstealer zgrat inst new downloader miner amadey
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Lumma Stealer payload V4
- Detect Xworm Payload
- Detect ZGRat V1
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XMRig Miner payload
  miner
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- YTStealer
  YTStealer is a malware designed to steal YouTube authentication cookies.
  stealer ytstealer
- YTStealer payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Modifies boot configuration data using bcdedit
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Sets file execution options in registry
  persistence
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies powershell logging option
  evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4