ammyyadmin | c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

Resubmissions

02-12-2024 01:18

241202-bpbmbsxjfq 10

02-12-2024 01:09

241202-bh6twswqbn 10

Sharing

Copy URL

Twitter E-mail

General

Target

niggers.exe
Size

14.3MB
Sample

241202-bpbmbsxjfq
MD5

8a44ee98217bc81f0869d793eefab1f0
SHA1

4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
SHA256

c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
SHA512

4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
SSDEEP

393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Extracted

Family

njrat

Version

0.7d

Botnet

mohib

mohibkal.publicvm.com:1978

Mutex

c14a42d030a82215ba6bc24288fc11a4

Attributes

reg_key
c14a42d030a82215ba6bc24288fc11a4
splitter
|'|'|

Extracted

Family

lumma

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://hallowed-noisy.sbs

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

xworm

Version

5.0

panpoppo-25611.portmap.io:25611

45.141.26.170:7000

Mutex

bkYwUfZceyxwRCdw

Attributes

Install_directory
%AppData%
install_file
System.exe
telegram
https://api.telegram.org/bot7029474494:AAH1z4aA2-VnubfHzTm9hl-5PQmAMfTuggo/sendMessage?chat_id=5258405739

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes

delay
3
install
true
install_file
http.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

rhadamanthys

https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr

Extracted

Family

vidar

Version

10.6

Botnet

af458cf23e4b27326a35871876cc63d9

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Extracted

Family

redline

Botnet

Diamotrix

176.111.174.140:1912

Targets

- Target
  
  niggers.exe
- Size
  
  14.3MB
- MD5
  
  8a44ee98217bc81f0869d793eefab1f0
- SHA1
  
  4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
- SHA256
  
  c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
- SHA512
  
  4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
- SSDEEP
  
  393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Score

10^/10

ammyyadmin asyncrat flawedammyy lumma metasploit njrat quasar ramnit redline rhadamanthys vidar xmrig xworm af458cf23e4b27326a35871876cc63d9 default diamotrix mohib office04 sgvp aspackv2 backdoor banker credential_access defense_evasion discovery evasion execution infostealer miner privilege_escalation pyinstaller rat spyware stealer trojan upx worm
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- FlawedAmmyy RAT
  Remote-access trojan based on leaked code for the Ammyy remote admin software.
  trojan flawedammyy
- Flawedammyy family
  flawedammyy
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2