amadey

Target

Downloaders.zip
Size

12KB
Sample

250212-dhrfbaxnhm
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

CleanerV2

192.168.4.185:4782

Mutex

1607a026-352e-4041-bc1f-757dd6cd2e95

Attributes

encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
install_name
Client.exe
log_directory
Clean
reconnect_delay
3000
startup_key
CleanerV2
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

18.141.204.5:80

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
syteam.exe
install_folder
%Temp%

aes.plain

Extracted

Family

redline

Botnet

147.124.222.241:47056

Extracted

Family

amadey

Version

5.04

Botnet

608ae0

http://185.208.159.121

Attributes

install_dir
d71abd0bd9
install_file
Gxtuum.exe
strings_key
353f19792cc9942438e61b6e87ba3d87
url_paths
/8djjd3Shf2/index.php

rc4.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

tieumao1995-51127.portmap.io:51127

98.51.190.130:20

Mutex

4119a2e0-4ae4-4843-8534-99af91a2475d

Attributes

encryption_key
DF6316067206E09C1F85138FCEBD56F5D94BF6AE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

6.tcp.eu.ngrok.io:12925

2.tcp.eu.ngrok.io:19695

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

0.tcp.in.ngrok.io:18220

0.tcp.eu.ngrok.io:15174

159.100.19.137:7707

Mutex

hDtjdONRXVCh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes

encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
install_name
diskutil.exe
log_directory
Logs
reconnect_delay
3000
startup_key
diskutil
subdirectory
diskutil

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

hahalol-49745.portmap.host:49745

Mutex

6ba66483-7407-4bb1-85ea-d79258d3bf46

Attributes

encryption_key
AAFD116557051025FAE9863551E989343167ADDF
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
a5

Extracted

Family

discordrat

Attributes

discord_token
MTA4MDk4MTIyMDY1OTI5ODM1Nw.Ge9WdI.mgiKFBRpd3OMUTf1SBAtgUqqVPKf4evZxJ5nYU
server_id
1080979971050319872

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Steam

Extracted

Family

xworm

Version

5.0

157.20.182.169:1515

0.tcp.eu.ngrok.io:10358

6.tcp.eu.ngrok.io:10358

4.tcp.eu.ngrok.io:10358

Mutex

qqWjm3mbt3teI8Oz

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

38.180.203.208:14238

Extracted

Family

redline

Botnet

unique24

185.215.113.67:21405

Extracted

Family

redline

Botnet

wind

194.190.152.223:40355

Attributes

auth_value
8834064a70f1a34ac1e47c2315ab253e

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed by Here

21.ip.gl.ply.gg:56106

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  Downloaders.zip
- Size
  
  12KB
- MD5
  
  94fe78dc42e3403d06477f995770733c
- SHA1
  
  ea6ba4a14bab2a976d62ea7ddd4940ec90560586
- SHA256
  
  16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
- SHA512
  
  add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
- SSDEEP
  
  384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score

10^/10

amadey asyncrat azorult discordrat lokibot nanocore njrat quasar redline sectoprat xmrig xworm zharkbot 608ae0 cleanerv2 default hacked by here helper atanka nigga office04 po runtimebroker unique24 wind botnet collection credential_access defense_evasion discovery execution infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Detect Xworm Payload
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1