ammyyadmin | c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

Resubmissions

29-11-2024 08:21

241129-j89bpsvnes 10

28-11-2024 22:32

241128-2f9qwatjcw 10

28-11-2024 20:43

241128-zh3dgavrcr 10

Sharing

Copy URL

Twitter E-mail

General

Target

take3.exe
Size

14.3MB
Sample

241128-2f9qwatjcw
MD5

8a44ee98217bc81f0869d793eefab1f0
SHA1

4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
SHA256

c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
SHA512

4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
SSDEEP

393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/unvd01/unvmain/raw/main/un2/botprnt.dat

exe.dropper

http://unvdwl.com/un2/botprnt.dat

Extracted

Credentials

Protocol: ftp
Host:
ftpcluster.loopia.se
Port:
21
Username:
srbreferee.com
Password:
luka2005

Extracted

Credentials

Protocol: ftp
Host:
ftpcluster.loopia.se
Port:
21
Username:
PRGUpdate
Password:
hokejnaledu

Extracted

Credentials

Protocol: ftp
Host:
139.59.11.0
Port:
21
Username:
administrator
Password:
BLUEAIRWOLF

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

gh0strat

1.15.110.72

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes

delay
3
install
true
install_file
http.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

154.197.69.165:7000

Mutex

wPxAiY3vITAPeZGc

Attributes

Install_directory
%AppData%
install_file
System.exe

aes.plain

Targets

- Target
  
  take3.exe
- Size
  
  14.3MB
- MD5
  
  8a44ee98217bc81f0869d793eefab1f0
- SHA1
  
  4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
- SHA256
  
  c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
- SHA512
  
  4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
- SSDEEP
  
  393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Score

10^/10

ammyyadmin asyncrat dcrat flawedammyy gh0strat quasar ramnit redline xmrig xred xworm zharkbot default office04 sgvp aspackv2 backdoor banker botnet credential_access defense_evasion discovery dropper evasion execution exploit infostealer miner persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx vmprotect worm
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Xworm Payload
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Flawedammyy family
  flawedammyy
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Contacts a large (771) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates new service(s)
  persistence execution
- Download via BitsAdmin
  dropper
- Downloads MZ/PE file
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Modifies Windows Firewall
  evasion
- Possible privilege escalation attempt
  exploit
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1