amadey

Sharing

Copy URL

Twitter E-mail

General

Target

df42368ac1eb251bad822b304f131d7ac0f6eac4a071e320dedd63895c40cc61
Size

238KB
Sample

240121-2e83ysbga5
MD5

f6ff3a0cbac3c500cbb81c2b4b7ad4bc
SHA1

ee53ba28ff07790844f11f00302271a7e87df1cf
SHA256

df42368ac1eb251bad822b304f131d7ac0f6eac4a071e320dedd63895c40cc61
SHA512

96df27f35e257c970d92989ec1ce533e85b7a45927ebb9a13068159b67909e88c7ffd4e92fe9fabf8003023b3d0697ad54850175e51e82e2f0be073ca8286aea
SSDEEP

6144:BxQaL79x1KehiLiW6b2kH1X6jDF0f5d9t4:vrH9x1KeIkH1X6jDF0Db

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

amadey

Version

4.17

http://185.196.10.34

Attributes

install_dir
eff1401c19
install_file
Dctooux.exe
strings_key
6e23b5eadc27bb0b2eaebdd4fed1beb2
url_paths
/b8sdjsdkS/index.php

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

45.15.156.60:12050

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

91.92.248.67:6606

91.92.248.67:7707

91.92.248.67:8808

Mutex

MOgiiF6Liim5

Attributes

delay
3
install
false
install_file
temp.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

ST12

185.172.128.33:38294

Targets

- Target
  
  df42368ac1eb251bad822b304f131d7ac0f6eac4a071e320dedd63895c40cc61
- Size
  
  238KB
- MD5
  
  f6ff3a0cbac3c500cbb81c2b4b7ad4bc
- SHA1
  
  ee53ba28ff07790844f11f00302271a7e87df1cf
- SHA256
  
  df42368ac1eb251bad822b304f131d7ac0f6eac4a071e320dedd63895c40cc61
- SHA512
  
  96df27f35e257c970d92989ec1ce533e85b7a45927ebb9a13068159b67909e88c7ffd4e92fe9fabf8003023b3d0697ad54850175e51e82e2f0be073ca8286aea
- SSDEEP
  
  6144:BxQaL79x1KehiLiW6b2kH1X6jDF0f5d9t4:vrH9x1KeIkH1X6jDF0Db
Score

10^/10

amadey djvu loaderbot risepro smokeloader vidar xmrig zgrat pub1 backdoor discovery loader miner ransomware rat stealer trojan asyncrat dcrat redline default logsdiller cloud (tg: @logsdillabot)st12 infostealer persistence spyware
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Vidar Stealer
  stealer
- Detect ZGRat V1
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- LoaderBot executable
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

AsyncRat

DcRat

Detect Vidar Stealer

Detect ZGRat V1

Detected Djvu ransomware

Djvu Ransomware

LoaderBot

RedLine

RedLine payload

RisePro

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

ZGRat

xmrig

Async RAT payload

LoaderBot executable

XMRig Miner payload

Downloads MZ/PE file

Deletes itself

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2