ammyyadmin | 74d74bfdd9852c7967a852d632c16dc347b358fead85c04b04a809d9a35fb2c9

Resubmissions

04-12-2024 14:38

241204-rz18qstmbl 10

04-12-2024 13:22

241204-qme93awpgz 10

Sharing

Copy URL

Twitter E-mail

General

Target

241204-p9yjgs1nbp_pw_infected.zip
Size

14.1MB
Sample

241204-qme93awpgz
MD5

ffddb4d8714809e17e1e1b19cb085b8c
SHA1

e7b635844b198af1e84fe00aad8c322eeafea51a
SHA256

74d74bfdd9852c7967a852d632c16dc347b358fead85c04b04a809d9a35fb2c9
SHA512

26cece41f6bb1903398813116c0fc27a25c205ee0ae6ae930fe7fe263f60cb86a0cfc76c40cef5851671e7c11191a8e45b27b1ef55222b6575abe7bf2cfe309e
SSDEEP

393216:kBkHW+0ozLt+tYFj37O1/CKw+JFu/HObglFPh8OW:k+HN7LtFp37O1/yC7gbPU

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://176.111.174.138/usersync/tradedesk/_rp

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://osecweb.ir/js/config_20.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Family

xworm

Version

5.0

week-dictionary.gl.at.ply.gg:12466

Mutex

WIHzy7HOqD8TiFlq

Attributes

Install_directory
%AppData%
install_file
PowerShell.exe

aes.plain

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

lumma

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://hallowed-noisy.sbs

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

MSF

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Targets

- Target
  
  niggers.exe
- Size
  
  14.3MB
- MD5
  
  8a44ee98217bc81f0869d793eefab1f0
- SHA1
  
  4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
- SHA256
  
  c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
- SHA512
  
  4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
- SSDEEP
  
  393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Score

10^/10

ammyyadmin asyncrat lumma metasploit modiloader neshta njrat quasar ta505 xmrig xworm default office04 sgvp backdoor credential_access defense_evasion discovery evasion execution miner persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx vmprotect
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Neshta payload
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- TA505
  Cybercrime group active since 2015, responsible for families like Dridex and Locky.
  ta505
- Ta505 family
  ta505
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- ModiLoader Second Stage
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  take3.pyc
- Size
  
  5KB
- MD5
  
  4a9013e03843a3c5549540fa2dffd97c
- SHA1
  
  642b3d516cce79edfcc4881ebf8c142615a25b38
- SHA256
  
  2dbcec9abf205c40869539313ee711323d62f442181f5d3eeceb8ecb6130c3b7
- SHA512
  
  8212bdc9cff937ded41a2f5c666a6755b39841cdb3316ba9abc08f32a6f356d01e21ce1d75007ea8240082c950f59f6ccc07b4eacaa15008fe074bc1bd1874dd
- SSDEEP
  
  96:D9sxJIAI8lQAcPTwt0Ss3NYQfmkaHiiHj2xWhp5EJp:hsxJIAI8GHPNLVA92Op5O
Score

3^/10
behavioral2