amadey

Sharing

Copy URL

Twitter E-mail

General

Target

4363463463464363463463463.exe
Size

10KB
Sample

240130-ax3v4sfddr
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

HacKed

http://190.123.44.240

Mutex

BN[]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
true
usb_spread
false

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Load_Man

leetman.dynuddns.com:1337

Mutex

AsyncMutex_6SI8asdasd2casOkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

185.223.235.19:4444

Extracted

Family

amadey

Version

4.17

http://5.42.66.29

Attributes

install_dir
f60f0ba310
install_file
Dctooux.exe
strings_key
f34f781563773d1d56ad6459936524d1
url_paths
/b9djjcaSed/index.php

rc4.plain

Extracted

Family

vidar

Version

55.7

Botnet

1827

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80

Attributes

profile_id
1827

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

redline

Botnet

@Pixelscloud

94.156.66.203:13781

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://vatra.at/tmp/

http://spbdg.ru/tmp/

http://skinndia.com/tmp/

http://cracker.biz/tmp/

http://piratia-life.ru/tmp/

http://piratia.su/tmp/

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Extracted

Family

lumma

https://consciouosoepewmausj.site/api

https://braidfadefriendklypk.site/api

Extracted

Family

remcos

Botnet

Go!!!

dangerous.hopto.org:2404

dangerous.hopto.org:2602

91.92.242.184:2602

91.92.242.184:2404

Attributes

audio_folder
??????????? ??????
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
taskhost.exe
copy_folder
System32
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
tapiui.dat
keylog_flag
false
keylog_folder
System32
mouse_option
false
mutex
???-LDKG91
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
?????????
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

xworm

209.145.51.44:7000

Mutex

iLWUbOJf8Atlquud

Attributes

install_file
USB.exe

aes.plain

Extracted

Credentials

Protocol: ftp
Host:
braun-web.de
Port:
21
Username:
[email protected]
Password:
W-',MR8n2X

Extracted

Credentials

Protocol: ftp
Host:
braun-web.de
Port:
21
Username:
florian
Password:
W-',MR8n2X

Extracted

Credentials

Protocol: ftp
Host:
braun-web.de
Port:
21
Username:
admin
Password:
W-',MR8n2X

Extracted

Credentials

Protocol: ftp
Host:
braun-web.de
Port:
21
Username:
braun-web
Password:
W-',MR8n2X

Extracted

Family

xworm

Version

5.0

canadian-perspectives.gl.at.ply.gg:33203

Mutex

TLsk4Xp0P8GNpwQw

Attributes

Install_directory
%AppData%
install_file
msedge.exe

aes.plain

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

amadey asyncrat blacknet dcrat metasploit smokeloader vidar xmrig zgrat 1827 hacked load_man backdoor infostealer miner persistence pyinstaller rat stealer trojan glupteba lumma redline risepro 666 @pixelscloud pub1 pub2 dropper evasion loader upx remcos stealc xworm go!!!discovery rootkit spyware vmprotect quasar rhadamanthys
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- BlackNET
  BlackNET is an open source remote access tool written in VB.NET.
  trojan blacknet
- BlackNET payload
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Xworm Payload
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- XMRig Miner payload
  miner
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Modifies powershell logging option
  evasion
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4