amadey

Target

Downloaders.zip
Size

12KB
Sample

240521-mdy42aaa2x
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

xworm

Version

5.0

79.110.49.133:5700

5.182.87.154:7000

Mutex

Bg9JRZDpyEfXxrAy

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

redline

Botnet

Vic

beshomandotestbesnd.run.place:1111

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

stealc

rc4.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

79.132.193.215:4782

Mutex

f99ccef5-65c4-4972-adf2-fb38921cc9fc

Attributes

encryption_key
1C15E91ACCFAC60B043A1336CF6912EA8572BA83
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup

Extracted

Family

redline

Botnet

DOCX

beshomandotestbesnd.run.place:1111

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

5.182.87.154:4449

Mutex

jiqsvporltpvroy

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Downloaders.zip
- Size
  
  12KB
- MD5
  
  94fe78dc42e3403d06477f995770733c
- SHA1
  
  ea6ba4a14bab2a976d62ea7ddd4940ec90560586
- SHA256
  
  16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
- SHA512
  
  add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
- SSDEEP
  
  384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score

10^/10

amadey asyncrat dcrat gozi hijackloader lumma privateloader purelogstealer quasar redline rhadamanthys sectoprat stealc tofsee vidar warzonerat xworm 1 c767c0 default docx office04 vic banker bootkit discovery evasion execution exploit infostealer loader persistence rat spyware stealer themida trojan upx vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Lumma Stealer payload V2
- Detect Lumma Stealer payload V4
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Detects HijackLoader (aka IDAT Loader)
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
- Warzone RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Contacts a large (627) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Possible privilege escalation attempt
  exploit
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1