ades_stealer | hxxps://s3[.]us-east-1[.]wasabisys[.]com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Sharing

Copy URL

Twitter E-mail

General

Target

https://s3.us-east-1.wasabisys.com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Sample

250421-v4cbystnw2

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

96.248.52.125:8031

wzt5xcg.localto.net:1604

wzt5xcg.localto.net:5274

Mutex

adobe_6SI8OkPnk

Attributes

delay
3
install
true
install_file
update.exe
install_folder
%Temp%

aes.plain

Extracted

Family

lumma

https://zestmodp.top/zeda

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://owlflright.digital/qopy

https://yshiningrstars.help/api

https://mercharena.biz/api

https://stormlegue.com/api

https://blast-hubs.com/api

https://oblastikcn.com/api

https://naturewsounds.help/api

https://fxreshideas.tech/api

https://shiningrstars.help/api

https://pstormlegue.com/api

https://blastikcn.com/api

https://unaturewsounds.help/api

Extracted

Family

xworm

Version

5.0

127.0.0.1:8304

owners-encryption.gl.at.ply.gg:8304

applications-scenario.gl.at.ply.gg:53694

Mutex

vmpbQXCAUZiPKlSw

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Hubert Pilarczyk

pawela827-35962.portmap.host:35962

Mutex

ca431979-125b-480f-adac-43c48c1e1832

Attributes

encryption_key
39F4E87BBB832270AC54CA5065E707DFB3689A56
install_name
vsjitdebuggerui.exe
log_directory
CEF
reconnect_delay
3000
startup_key
Proces hosta dla zadań systemu Windows
subdirectory
3880

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.100.10:4782

llordiWasHere-55715.portmap.host:55715

Mutex

c30cf3c1-7b97-4704-8ee2-11d4f4a4a673

Attributes

encryption_key
5B006AB32BA3239F1231429040DABB9E56ECB26B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

siembonik-44853.portmap.host:44853

Mutex

df483a08-855b-4bf5-bdcb-174788919889

Attributes

encryption_key
A8573AD4438B1D5F6207F7C03CCC7F1E2D4B13DF
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
am1

Extracted

Family

quasar

Version

1.4.1

Botnet

RAT 5 (EPIC VERISON)

serveo.net:11453

Mutex

7a1301f7-dc6f-4847-a8ee-ca627a9efa0f

Attributes

encryption_key
3B793156AD6D884F51309D0E992DAA75D03D2783
install_name
Application Frame Host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

CleanerV2

192.168.4.185:4782

Mutex

1607a026-352e-4041-bc1f-757dd6cd2e95

Attributes

encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
install_name
Client.exe
log_directory
Clean
reconnect_delay
3000
startup_key
CleanerV2
subdirectory
SubDir

Extracted

Family

xworm

Version

3.1

camp.zapto.org:7771

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  https://s3.us-east-1.wasabisys.com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Score

10^/10

ades_stealer ammyyadmin asyncrat lumma quasar umbral vidar xworm cleanerv2 default hubert pilarczyk main office04 rat 5 (epic verison)runtimebroker aspackv2 collection credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx vmprotect
- AdesStealer
  AdesStealer is a modular stealer written in C#.
  stealer ades_stealer
- Ades_stealer family
  ades_stealer
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Umbral payload
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Detects AdesStealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1