ammyyadmin | hxxps://s3[.]us-east-1[.]wasabisys[.]com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Sharing

Copy URL

Twitter E-mail

General

Target

https://s3.us-east-1.wasabisys.com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Sample

250421-vnh5kazwdw

Malware Config

Extracted

Family

lumma

https://begindecafer.world/QwdZdf

https://garagedrootz.top/oPsoJAN

https://modelshiverd.icu/bJhnsj

https://arisechairedd.shop/JnsHY

https://catterjur.run/boSnzhu

https://dorangemyther.live/IozZ

https://fostinjec.today/LksNAz

https://sterpickced.digital/plSOz

https://iclarmodq.top/qoxo

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://ksalaccgfa.top/gsooz

https://zestmodp.top/zeda

https://owlflright.digital/qopy

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://5ironloxp.live/aksdd

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

[email protected]

sayrich.ddns.net:7777

Mutex

Yandex. Update

Attributes

reg_key
Yandex. Update
splitter
|Hassan|

Extracted

Family

xworm

Version

5.0

lohoainam2008-36048.portmap.io:36048

127.0.0.1:14606

r-exploring.gl.at.ply.gg:14606

147.185.221.27:14606

3214r214r12412-50274.portmap.io:50274

Attributes

Install_directory
%AppData%
install_file
Setup.exe
telegram
https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

aes.plain

Extracted

Family

xworm

w-bridal.gl.at.ply.gg:48095

127.0.0.1:8848

flowers-christina.gl.at.ply.gg:8848

Attributes

Install_directory
%Temp%
install_file
Sys32.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:18274

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:8080

6.tcp.eu.ngrok.io:18274

1.tcp.ap.ngrok.io:21049

ratlordvc.ddns.net:6606

18.141.204.5:80

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

redline

Botnet

@glowfy0

91.214.78.86:1912

Extracted

Family

asyncrat

Version

A 13

Botnet

Default

163.172.125.253:333

Mutex

AsyncMutex_555223

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

172.204.136.22:1604

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

6.tcp.eu.ngrok.io:12925

0.tcp.eu.ngrok.io:15174

Mutex

ghbyTnUySCmF

Attributes

delay
3
install
false
install_file
RoyalKing.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes

encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
install_name
WenzCord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update.exe
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Neverlose Loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

217.195.197.170:1604

Mutex

QSR_MUTEX_9WjAcLINYji1uqfzRt

Attributes

encryption_key
B2vTTMiPGqHXv2xzSGYH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Steam

Extracted

Family

darkcomet

Botnet

BROUTEUR

voltazur.ddns.net:1604

Mutex

DC_MUTEX-CLRHTUN

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
cVxQXF1dUQRM
install
true
offline_keylogger
false
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  https://s3.us-east-1.wasabisys.com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Score

10^/10

ammyyadmin asyncrat azorult darkcomet lumma mimikatz njrat quasar redline sliver xworm @glowfy0 brouteur default [email protected]nigga office04 rat1 sigorta wenzcordrat backdoor defense_evasion discovery execution infostealer persistence pyinstaller rat spyware stealer themida trojan upx
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Sliver RAT v2
- Sliver family
  sliver
- SliverRAT
  SliverRAT is an open source Adversary Emulation Framework.
  trojan backdoor sliver
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- mimikatz is an open source tool to dump credentials on Windows
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1