amadey

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Sharing

Copy URL

Twitter E-mail

General

Target

FUCKER.exe
Size

10KB
Sample

240409-kfglnaaf84
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.196.10.233:4782

Mutex

a244256d-314d-4857-83fe-790ac24d7897

Attributes

encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
install_name
gfdgfdg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgfdhdgg
subdirectory
gfgfgf

Extracted

Family

amadey

Version

4.18

http://185.172.128.3

Attributes

install_dir
One_Dragon_Center
install_file
MSI.CentralServer.exe
strings_key
fd2f5851d3165c210396dcbe9930d294
url_paths
/QajE3OBS/index.php

rc4.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

KZ1

77.232.132.25:5001

Mutex

AsyncMutex_6SI8OJU68

Attributes

delay
3
install
false
install_file
service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

KZ1

77.232.132.25:4999

Mutex

8892f097-602a-41ca-8df2-0bf3fd113bd2

Attributes

encryption_key
790BD6D1C1540AE1BFB811F2DC1E0185525C5DCB
install_name
LestaClient.exe
log_directory
LestaLogs
reconnect_delay
3000
startup_key
Lesta Game Center
subdirectory
Lesta

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@systemadminbd

172.86.101.115:4483

Extracted

Family

vidar

Version

8.6

Botnet

72f54d93118188013f2386eef7e5cc05

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
72f54d93118188013f2386eef7e5cc05
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

20.218.68.91:7690

Extracted

Family

xworm

163.5.215.245:9049

Mutex

r3SLo8kx59hai6gX

aes.plain

Extracted

Family

risepro

37.120.237.196:50500

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Targets

- Target
  
  FUCKER.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

amadey asyncrat quasar redline sectoprat xmrig zgrat 666 kz1 office04 evasion infostealer miner persistence rat spyware trojan upx dcrat stealc vidar 72f54d93118188013f2386eef7e5cc05 @systemadminbd livetraffic discovery stealer themida parallax raccoon risepro xworm dave pyinstaller purelogstealer @oleh_psp
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Detect ZGRat V1
- ParallaxRat
  ParallaxRat is a multipurpose RAT written in MASM.
  rat parallax
- ParallaxRat payload
  Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V2 payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Downloads MZ/PE file
- Sets file execution options in registry
  persistence
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies powershell logging option
  evasion
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4