amadey

Resubmissions

24-11-2024 19:42

241124-yexs5s1rgq 10

24-11-2024 09:24

241124-lc6xtatmay 10

Sharing

Copy URL

Twitter E-mail

General

Target

Testing5.zip
Size

6.0MB
Sample

241124-lc6xtatmay
MD5

4361601ad4e2af850ccf0e600509c2ca
SHA1

9a2112227673788b6570384a2eb1f32537f46a30
SHA256

2c41808826974a0fdd3c7b27850143cad077a79e0cf69c011da495d6abee679a
SHA512

74e884d5cd117b6d5898f9c2b3ccd424b46a9bd958e2412987fdba00496318547a1b1f625de6b5195c8150ce81ef58e8c015875ccc00b222ffda1d5e0f830eab
SSDEEP

98304:VYhsAjqphjdMXv8Xg1qdPNGv4mLI833edIVEXYxssdOTyc4Fh+LhwgLUpjbk387K:qsAW7jakwUGv6E3edIqB2c4FIhwg6/yd

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwOTg3NTA0MzA1MTg5Njk1NA.GTR-3U.C7tazMXoRaSR--tVDMbQdoDKBw2f8bLXItZIRo
server_id
1309876526615101530

Extracted

Family

amadey

Version

5.04

Botnet

4bee07

http://185.215.113.209

Attributes

install_dir
fc9e0aaab7
install_file
defnur.exe
strings_key
191655f008adc880f91bfc85bc56db54
url_paths
/Fru7Nk9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

mars

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
761
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\K18zGoDMql.README.txt

Ransom Note

ATTENTION! Don’t worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. To get this software and key you need join our server discord: discord.gg/ Personal ID: 71714dab686b45fc9552bf93b31d8588

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\GK9X59JWEe.README.txt

Ransom Note

Targets

- Target
  
  94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
- Size
  
  1.8MB
- MD5
  
  f42590bc6a794fb1d34aba733035bc5e
- SHA1
  
  d3ffb11f07d68b79d7c6d7aeab5571722a603d1c
- SHA256
  
  94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7
- SHA512
  
  40e1f2367a57f1bfc7cff43d496dcca4419b2324099c8a835561f372a34b3a2eba82033aba337e20f70c7e142fee6a1ecf26ccea122bfc7191aa50d7a0b05064
- SSDEEP
  
  49152:m0u8PuIv8ZuAD/juxrb3LJQ8gUGza+7X0LSH71XXZ1:u8PYDkH7GRz14LSH7dZ
Score

10^/10

amadey cryptbot stealc 4bee07 9c9aa5 mars credential_access discovery evasion persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Cryptbot family
  cryptbot
- Detects CryptBot payload
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Discordrat.exe
- Size
  
  90KB
- MD5
  
  d74728a955861daf303ff42c7f572d16
- SHA1
  
  a73b4d871a4caec1700349de9b5f7dbf4ba59f7b
- SHA256
  
  1f3b8599d811004b6d52d543e451555944c3c4dc2893d04a370a0874e99c82af
- SHA512
  
  73c271de7061e53b91079636d99f1967ce922bf47c14539569b2f0f3a9b6628bc4cc1fd9a7d7cb1e10bdfc95c8ce49e0a0f3a815cf5810f44a5c2b35ba116e69
- SSDEEP
  
  1536:ibPjt72uOFmYskRPUAqtBTldwX0bpAkAfLgbGNrk+uexCxoKV6+fEX85:EjtyuOFpskpgBTlukQgbGNrk+bSEXQ
Score

10^/10

discordrat persistence rat rootkit stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
behavioral3 behavioral4
- Target
  
  F4620C0AFA8E21897509B2E7215097F5.exe
- Size
  
  2.1MB
- MD5
  
  f4620c0afa8e21897509b2e7215097f5
- SHA1
  
  af216ca6105e271a3fb45a23c10ee7cf3158b7e1
- SHA256
  
  8daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82
- SHA512
  
  68b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd
- SSDEEP
  
  49152:IBJz3c6UY0hj8eu32ILwfhNE5I6OrLCXLdsN6:yh3cvY0Z8pGWwfhyxOrUsN6
Score

10^/10

dcrat discovery infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5 behavioral6
- Target
  
  a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
- Size
  
  254KB
- MD5
  
  09b5f5200e59d3a4623d739661ce9832
- SHA1
  
  8cfecf1996164ea98bbffbedc951b740cb35ca94
- SHA256
  
  a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323
- SHA512
  
  932448936c0e6e48ad059b4b224ba94e723f771d7d31f0e183f65ab46fff18ff01d5f7185a30258a1c46c7777677c4f2defefcc1db2645f732f3c13bb98b5977
- SSDEEP
  
  3072:nl6lh5pdDkFgvGRPLYYhmB218CdV3GB9Qr8lWmN5PSRs5CMMXQFPml5gdN+98bep:oj7ToPpmBHi2B9mXx98beF+LUDj0YUk
Score

10^/10

credential_access discovery execution ransomware spyware stealer
- Renames multiple (391) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8
- Target
  
  unturnedHack.exe
- Size
  
  4.1MB
- MD5
  
  c5293ff604e4231fdffaa092fd7c5ca8
- SHA1
  
  9e8aeb9ec19b8a6d534360883188872a257bb337
- SHA256
  
  4531a1efd815df17d3a6f247d0850ab5e510de2345723e41c062716e65df686e
- SHA512
  
  57a64316ac3944a4050853f491b85b373fc9e5f393c868d20243fcf1dfda4e733a61cf0348b7e0be25e7b880e49373131c500b5f91e7eb0c345957e070ad5fc9
- SSDEEP
  
  49152:Xl4UjB0jUudKphZByreh+Woao/OZa8XLh+4vBTVlz8svA:14UjKgu8A
Score

10^/10

meduza collection discovery spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral10 behavioral9