ammyyadmin | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

Target

4363463463464363463463463.exe.zip
Size

4KB
Sample

250125-azr7dswras
MD5

16d34133af438a73419a49de605576d9
SHA1

c3dbcd70359fdad8835091c714a7a275c59bd732
SHA256

e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
SHA512

59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
SSDEEP

96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

185.223.30.86:8808

0.tcp.in.ngrok.io:10147

14.243.221.170:3322

stuff-data.gl.at.ply.gg:54296

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:17027

2.tcp.ngrok.io:6606

2.tcp.ngrok.io:7707

2.tcp.ngrok.io:8808

2.tcp.ngrok.io:8080

2.tcp.ngrok.io:17027

Mutex

GfuQDRCNZd5L

Attributes

delay
9
install
true
install_file
sync.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

sound-vietnam.gl.at.ply.gg:52575

Attributes

Install_directory
%LocalAppData%
install_file
Terraria-Multiplayer-Fix-Online.exe

Extracted

Family

xworm

Version

5.0

panpoppo-25611.portmap.io:25611

Mutex

bkYwUfZceyxwRCdw

Attributes

Install_directory
%AppData%
install_file
System.exe
telegram
https://api.telegram.org/bot7029474494:AAH1z4aA2-VnubfHzTm9hl-5PQmAMfTuggo/sendMessage?chat_id=5258405739

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

remcos

Botnet

Crypt

185.225.73.67:1050

Attributes

audio_folder
576ruythg6534trewf
audio_path
%WinDir%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
76y5trfed675ytg.exe
copy_folder
kjhgfdc
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
654ytrf654trf654ytgref.dat
keylog_flag
false
keylog_folder
67yrtg564tr6754yter
mouse_option
false
mutex
89765y4tergfw6587ryute-80UMP1
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
67y4htergf65trgewfd654tyrfg
screenshot_path
%Temp%
screenshot_time
10
startup_value
6754ytr756ytr7654yretg8765uyt
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
bank

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Default

yyyson22.gleeze.com:4608

Mutex

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

discordrat

Attributes

discord_token
MTAyOTM3NzcyMzcxNTU1OTQ2NA.G7rtDA.iVKPgXW9sMwRqiFimO_Rdc0nXAigNycwugkM4k
server_id
696661218521251871

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.79:4782

104.251.123.245:23600

Mutex

956eafb2-7482-407b-bff4-d2b57a1c3d75

Attributes

encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

redline

Botnet

Standoff

89.23.101.77:1912

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:5173

Mutex

QYKKiqqJ0K2HqPP0Mo

Attributes

encryption_key
rFGYI3uEIwvomle2u8mk
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

gurcu

https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403

http://209.38.221.184:8080

http://46.235.26.83:8080

http://147.28.185.29:80

http://206.166.251.4:8080

http://51.159.4.50:8080

http://167.235.70.96:8080

http://194.164.198.113:8080

http://132.145.17.167:9090

https://5.196.181.135:443

http://116.202.101.219:8080

https://185.217.98.121:443

http://185.217.98.121:8080

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

http://65.49.205.24:8080

https://154.9.207.142:443

http://67.230.176.97:8080

http://8.222.143.111:8080

Targets

- Target
  
  4363463463464363463463463.exe.zip
- Size
  
  4KB
- MD5
  
  16d34133af438a73419a49de605576d9
- SHA1
  
  c3dbcd70359fdad8835091c714a7a275c59bd732
- SHA256
  
  e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
- SHA512
  
  59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
- SSDEEP
  
  96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5
Score

10^/10

ammyyadmin asyncrat discordrat gurcu njrat quasar redline remcos xworm crypt default hacked office office04 standoff zjeb collection defense_evasion discovery execution infostealer persistence phishing privilege_escalation pyinstaller rat rootkit spyware stealer themida trojan upx
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  defense_evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1