amadey

General

Target

Malware with taskmgr.zip
Size

2.9MB
Sample

240806-2kbpmssgrn
MD5

a964aeb3e8cf59d3b8708af99731abf4
SHA1

77a9caa0eb747c0d5bba1d2b86dd13537516f849
SHA256

39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
SHA512

9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a
SSDEEP

49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\#DECRYPT MY FILES#.html

Ransom Note

<html> <head> <meta charset='utf-8'> <title>WHAT HAPPENED</title> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .after { background: #FFE4E4; border-left: 10px solid #A5A52F; } .third { background: #FFE4E4; border-left: 10px solid #0000FF; } .alert { background: #FFE4E4; border-left: 10px solid #0000FF; } .contact { background: #CCCCCC; border-left: 10px solid #00FF00; } .party { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; }</style> </head> <div class='header'>Your files are encrypted!</div> <div class='header'>Paradise Ransomware Team!</div><div class='note private'> <div class='title'>Your personal ID</div> <pre>2wbBLus6</pre><div class='title'>Your personal KEY</div> <pre><textarea name='mesage' rows='10' cols='150' wrap='virtual'>q/HNqCXhyy7LqMNio48MnIYzcLnkX9BC+Y5th5nZWoyWefGx25etubKGtowjsSlnEjUAbSxCFmoG57FB2CA3SE2fuQGjtxiQn/R7DP189g3JvLcrF4Kg1pWtG528gU7t1a15Xk492Ye0JQFukndOy6GqHx3rKjD2tB2yaRzqAolCdUV4MY6aOU5RrG+zwQVsGTnLIE5YL2nvAvcNNf/3kUzagKevmra7TWKIENM8E2fKJU7Tg7Uu7qx0+jJa7B6YbjAFHIG81xnOzA5nOZm9eKT7wVeRBRJNQuQOE1S2yIFVhlMmCmhymX13hfiQ5XtFwCJzzfyt+oDAUTCRfh0PFm/GMXcTjoh8I99MLszLTrwE6BMcc6/NRdmSGsdQ4rJftewBR6U9OO78viqI7KDJ+P5VdvLVbYo18BoYmspkDhGJFN84UundTVqNUOEUHRU31VwDE92VmHhpcNRAbTptWq5wl4NdXN4/1gI4GOEKvJiM24XdHwC5oP3+z5p89m/rfDFpl1CLAXUYX7O+nx+Hoez9YgUf07z3KTe/fzDIoEAlvM5exA9j7KxOJgq68pcaWkkPrhk8guVpZ2ttXfyOkzwDLO7SFWKTEkaoDSsAmbH86SaHrT2EMWDpnsY4rvPrGmI6WKFL5ORYsFOWGsgSVkENKAOd1oGePGVHHDnv7DF/cBK+jsi+hAQfzP7uSMMIqbrbGeGtohEBbIYSGAV8dwz7sH6szh3/tiFH+Ru4bFqZztryemj3Gj3mZdfGSL1Z98UhDF/npc0uxOeoArnRxsdgJGYvCfCpkEYnMjOHlBu6usNBvlBGul0tqbbqiALwqSzj1tQ2FcmrJVrEFGmVTxGR/ce2E5MsR2LhmnIGRoz6mW4YKH2t3n5CFHbC7M9QWoVtc+5/GByoJVZ1c251y+MdvF+wTV9sog1H6RcKFaeCB88D3MUJxp7d+M9vahPIadi/IFfcFq6ZhAAEEwsqJ6GA6XreUNXuTNFUF2GL7wUy3t0WgfiP+8CMZWxnn8gTjmgAinzRHPuaVcrrMO8LQpXIRffnL5DE0GECB2Jec7PSWetObxTARUuc5NCB3YbWoQ6PuoZNNQQtWAXrZYnW2FUSy4sQX4NOqQg1+n+H4fK1/3N4zt6PDMjM8ND/eTXrVYtdCvg8i12TxJj8i5E+yl2LmK+RZCikkdoYtgSmnwKy42f0uDY0FPDGFEZIQYN/fXhMNKwpuZFM0baZ0RPBN8ob9DxVZ5mrU9OmdNuWfKsj8tgwu/+3AW0xQ534xjDWXTygy2aO3yzYnJTN4aPEQr3inq+i4D1zo5LcXwbePzahpOlPfXdxrDTCnKY2MC/EOrtBiMH3Dw8Gi3EEcD9SbQ==</textarea></div> <div class='note after'> <div class='title'>WHAT HAPPENED!</div> <ul><li>Your important files produced on this computer have been encrypted due a security problem.</li> <li>If you want to restore them, pay to us by website.</li> <li>After payment we will send you the decryption tool that will decrypt all your files.</li> </ul> </div> <div class='note third'> <div class='title'>FREE DECRYPTION AS GUARANTEE!</div> <ul><li>Before payment you can send us 1-3 files for free decryption.</li> <li>Please note that files must NOT contain valuable information.</li><li>The file size should not exceed 1MB.</li> <li>As evidence, we can decrypt one file</li> </ul> </div> <div class='note alert'> <div class='title'>HOW TO PAY!</div> <ul><li>Buy Paid Code In: https://shop.linuxenc.top/buy/2</li> <li>After you got Paid Code, get your personal key in https://search.linuxenc.top</li> </ul> </div> <div class='note contact'> <div class='title'>Contact!</div> <ul><li>e-mail:<input type='text' name='login' value='[email protected]' size='20' maxlength='5'> </li> <li>or</li><li>e-mail:<input type='text' name='login' value='[email protected]' size='20' maxlength='5'> </li> </ul> </div> <div> <div class='note party'> <div class='title'>Attention!</div> <ul><li>Do not rename encrypted files</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss</li><li>You are guaranteed to get the decryptor after payment</li> <li>As evidence, we can decrypt one file</li> <li>Do not attempt to use the antivirus or uninstall the program</li> <li>This will lead to your data loss and unrecoverable</li> <li>Decoders of other users is not suitable to decrypt your files - encryption key is unique</li> </ul> </div> </body> </html>

Emails

value='[email protected]

URLs

https://shop.linuxenc.top/buy/2</li>

https://search.linuxenc.top</li>

Targets

- Target
  
  Setup.exe
- Size
  
  12KB
- MD5
  
  a14e63d27e1ac1df185fa062103aa9aa
- SHA1
  
  2b64c35e4eff4a43ab6928979b6093b95f9fd714
- SHA256
  
  dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
- SHA512
  
  10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
- SSDEEP
  
  192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
Score

10^/10

amadey ammyyadmin cobaltstrike flawedammyy phorphiex 0 backdoor bootkit credential_access discovery evasion execution loader persistence privilege_escalation ransomware rat spyware stealer trojan worm
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Modifies security service
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (1484) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Command and Scripting Interpreter: AutoIT
  Using AutoIT for possible automate script.
  execution
- Suspicious use of SetThreadContext
behavioral1