amadey

Sharing

Copy URL

Twitter E-mail

General

Target

Malware with taskmgr.zip
Size

2.9MB
Sample

240614-w6arkswcll
MD5

a964aeb3e8cf59d3b8708af99731abf4
SHA1

77a9caa0eb747c0d5bba1d2b86dd13537516f849
SHA256

39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
SHA512

9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a
SSDEEP

49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

xworm

Version

5.0

64.226.123.178:6098

Mutex

1z0ENxCLSR3XRSre

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

3.1

185.91.127.220:7000

200.9.155.204:7000

Mutex

0liuzqSbSYrrf5nM

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

0011

185.91.127.219:33455

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
cmd.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Targets

- Target
  
  Malware with taskmgr.zip
- Size
  
  2.9MB
- MD5
  
  a964aeb3e8cf59d3b8708af99731abf4
- SHA1
  
  77a9caa0eb747c0d5bba1d2b86dd13537516f849
- SHA256
  
  39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
- SHA512
  
  9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a
- SSDEEP
  
  49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd
Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1
- Target
  
  processhacker-2.39-setup.exe
- Size
  
  3.5MB
- MD5
  
  b634c2030dcfbff51a9427f7091ee945
- SHA1
  
  96793c81fa09c5fe1e5d353b9c12837fa2e12ddd
- SHA256
  
  efa43d5920d7306c8b8aab1479d418f74e8e9ddc2078b6f40c1775b6deac33f5
- SHA512
  
  9c1eb150aacdbcfc0630a26aa66e210d200bb439621c115775dc70ba07f3be495cf9472b0811ae4728a4f72d6773f09a169458dc5cb4c24e19953ed6ccbed923
- SSDEEP
  
  98304:kGdVyVT9nOgmhRWh9/ULkjKxtTGP6VZd2rAcvOSE6Nq:bWT9nO7js/ULRjVZdLSE
Score

10^/10

amadey gh0strat phorphiex privateloader purplefox redline tofsee xehook xworm 0011 0e6740 @logscloudyt_bot e76b71 bootkit discovery evasion execution infostealer loader persistence ransomware rat rootkit spyware stealer themida trojan upx worm
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Detect Xehook Payload
- Detect Xworm Payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xehook stealer
  Xehook is an infostealer written in C#.
  stealer xehook
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- An obfuscated cmd.exe command-line is typically used to evade detection.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2