Profiling Трафферы: Cerberus (ex-Amnesia)

g0njxa
15 min readMay 9, 2024

--

In the infostealer ecosystem, there are communities of malware operators spreading its malicious builds in a daily basis, working under a common organization, more known as a team.

In this blog series I will be exposing very briefly the activity of some of these “traffers teams”: what they did, what are they doing and what they will do in the future. If possible, I’ll let them to talk freely in a quick interview.

Today, Cerberus (aka Amnesia):

Cerberus is a traffer team specialized at working with infostealers, with an special interest in the CIS region. Formerly known as Amnesia Team, there are records of his activity since December 1, 2022 and is still active under a new name, Cerberus Team. It is managed by ”@STYXTM

Heads — The interview

I reached them, they asked me few questions to replty. The reply back was “tmw” (tomorrow)… Today is like 20 days waiting for tomorrow

Sadly, there will be no interview with the Cerberus Team.

Tails — The overview

~ Advertisements

The “Amnesia” team was advertised at Zelenka forum:

NFT — SEO — #1 Amnesia | 2 STILLERS | 3 CRYPTO | COOKIE CREATOR | ALL LOGS ARE YOURS — Social Engineering Forum — Zelenka.guru (Lolzteam)

It offered the opportunity to work with stealers with free crypted builds, and free SEO.
Profit is mainly get from cryptocurrencies stolen from the victims logs you get (On a 25% fee given to the team), and they also offer a referral system where you get a 3% profit back from what your referrals earn. Everyone can join the team, with or without prior experience.

They were a popular team, having also some customs songs made for them (In Russian).

Amnesia was banned from Zelenka at October 29, 2023. The reason is the noncompliance of the forum’s rule to not work with CIS (Commonwealth of Independent States) countries logs victims. From the records, we can see that in fact, Amnesia Team was working out CIS logs from as far as December 2022, and this behavior was never changed all this operational time, provoking rejection of the project team from forums and related sites.

The “rebranding” of the Amnesia Team into Cerberus was announced at February 2024, being this a surprise to the members of the team who saw the operational Telegram Bot not working, the chat channel with a new name and the announcement of the newly created Cerberus bot in the old otstyk Amnesia channel, so they needed to re-apply to the new team.

I can’t find any further advertisement in any forums or related (of course also not in the known ones because of the work with CIS countries people logs)

~ Managing the Telegram Bot

The old Amnesia bot is not longer working. (t.me/AMNESIA_WORK_ROBOT)

Everything is detailed in so-called “manuals”

Amnesia Team — как лить трафик? — Telegraph

They also shared a “Safety” manual

AMNESIA | Библиотека — Teletype

Feel free to take a look on everything!

Applying to join the team

You didn’t need to fill an application on the team to join, you could start working out as soon as you started the bot.

As said, nothing is no longer working. Please refer to the guides shared before.

Talking about Cerberus Team,

Everything is managed by https://t.me/CERBERUS_TEAM_BOT

Applying to join the team

You need to fill an application with the following requests:

💫 Отправьте ссылку на форум
💫 Отправьте ссылкой скриншот ворка из другой тимы

💫 Send a link to the forum
💫 Send a link to a screenshot of a vork from another team

And wait for his admin to accept your application. Once accepted, you are now part of the Cerberus Team.

The functionality of the bot is written in Russian, I will be providing both original and translated screenshots.

There’s nothing much interesting in the bot, just common functions of Traffer teams, that I will be talkingg about in the nexts sections of this blog

On the “Download installer” sections, you can download your logs generated by Cerberus team builds. A temporary link is generated from

http://147.45.44.5:48219/file?fileId=**

where a .zip is downloaded, with name
dl_(your tg ID)_(File ID)

They also have a “payments” channel, with allegedly 112580 Russian rubles (or $1215 USD) paid to unkown (censored) members of the team

~ Otctyk

We can notice two kind of records on the Amnesia otctyk channel.

From December 2023 until April 2023, they looked like this:
English words are translations, original message are russian words

💎 У (USERNAME) новый лог! ((USERNAME) has a new log!)

🌙 Стиллер: (Stealer)
🎛 Крипт: (Crypter)
🌍 IP: (Country Code)

Информация о логе: (Log information:)
🔐: 🍪: 💳: 🧊:

🔎 Запросы: (Requests:)
Запросы в паролях: (Password prompts:)
Запросы в куках: (Requests in cookies:)

Then, the record style used was this, until the rebrand at February 2024:
English words are translations, original message are russian words

💠 В панели новый лог! (There is a new log in the panel!)

🧛🏻 Билд: (Build / Username)

🌩 Стиллер: (Stealer)
🧬 Крипт: (Crypter)
💢 Был в панели: (Unique?)
🌐 Страна: (Country Code)

Информация о логе: (Log information:)
🔐: 🍪: 💳: 🧊:

🔎 Запросы: (Requests:)
Запросы в паролях: (Password prompts:)
Запросы в куках: (Requests in cookies:)

From the first-style records, there is a total of 63349 unique IPs, mainly from Russia or related!

Check the full summarization here: IP Summarization Results of 63349 IPs — IPinfo.io

Find the full list on here: https://github.com/g0njxa/ProfilingTraffers/raw/main/amnesia.txt

From the second style records, the total amount of victims recorded in their channels is 294857

Sorted by countries:

Russia (RU) - 68392
United States (US) - 12228
Ukraine (UA) - 10800
Brasil (BR) - 7649
Belarus (BY) - 4341
Germany (DE) - 4295
Turkiye (TR) - 3778
Kazakhstan (KZ) - 3770
Vietnam (VN) - 3371
Philippines (PH) - 2951
Poland (PL) - 2892
Egypt (EG) - 2859
Thailand (TH) - 2665
Netherlands (NL) - 2656
Mexico (MX) - 2564
Pakistan (PK) - 2282
United Kingdom (GB) - 2244
Colombia (CO) - 2215
France (FR) - 2195
Indonesia (ID) - 2066
Spain (ES) - 1954
India (IN) - 1881
Peru (PE) - 1864
Algeria (DZ) - 1829
Argentina (AR) - 1769
Bangladesh (BD) - 1569
Morocco (MA) - 1552
Italy (IT) - 1462
Romania (RO) - 1232
Uzbekistan (UZ) - 1131
Belgium (BE) - 1098
China (CN) - 1050
Czechia (CZ) - 944
Malaysia (MY) - 925
Chile (CL) - 894
Moldova (MD) - 878
Venezuela (VE) - 852
Iraq (IQ) - 851
Portugal (PT) - 816
Hungary (HU) - 812
Canada (CA) - 802
Norway (NO) - 759
Ecuador (EC) - 755
Sri Lanka (LK) - 737
Saudi Arabia (SA) - 684
Serbia (RS) - 668
Dominican Republic (DO) - 639
South Korea (KR) - 601
Bolivia (BO) - 597
Tunisia (TN) - 595
South Africa (ZA) - 586
Kyrgyzstan (KG) - 565
Israel (IL) - 552
Kenya (KE) - 547
Iran (IR) - 546
Myanmar (MM) - 545
Lithuania (LT) - 535
Latvia (LV) - 516
Georgia (GE) - 490
Nigeria (NG) - 479
Australia (AU) - 427
Nepal (NP) - 417
Bulgaria (BG) - 410
Sweden (SE) - 403
Armenia (AM) - 400
Ghana (GH) - 369
United Arab Emirated (AE) - 364
Switzerland (CH) - 357
Slovakia (SK) - 349
Jordan (JO) - 333
Austria (AT) - 326
Japan (JP) - 323
Uruguay (UY) - 319
Azerbaijan (AZ) - 295
Estonia (EE) - 273
Ethiopia (ET) - 264
Bosnia and Herzegovina (BA) - 250
Luxembourg (LU) - 244
Finland (FI) - 233
Singapore (SG) - 232
Greece (GR) - 230
Palestine (PS) - 230
Croatia (HR) - 222
Denmark (DK) - 220
Taiwan (TW) - 217
Guatemala (GT) - 212
Cambodia (KH) - 207
Lebanon (LB) - 196
Ivory Coast (CI) - 194
Mongolia (MN) - 198
Costa Rica (CR) - 177
Paraguay (PY) - 175
Kuwait (KW) - 133
Honduras (HN) - 130
Laos (LA) - 128
Madagascar (MG) - 127
Ireland (IE) - 122
Cameroon (CM) - 120
Hong Kong (HK) - 119
Togo (TG) - 111
North Macedonia (MK) - 110
Panama (PA) - 110
Albania (AL) - 108
Cuba (CU) - 108
Senegal (SN) - 108
Slovenia (SI) - 108
Tanzania (TZ) - 106
Zambia (ZM) - 105
Uganda (UG) - 103
El Salvador (SV) - 94
Equatorial Guinea (GQ) - 94
Angola (AO) - 93
New Zealand (NZ) - 90
Qatar (QA) - 87
Jamaica (JM) - 83
Sudan (SD) - 80
Libya (LY) - 71
Oman (OM) - 69
Mozambique (MZ) - 68
Trinidad and Tobago (TT) - 66
Tajikistan (TJ) - 64
Burkina Faso (BF) - 62
Puerto Rico (PR) - 61
Nicaragua (NI) - 58
Benin (BJ) - 54
Yemen (YE) - 51
Cyprus (CY) - 50
Congo (CG) - 49
Bahrain (BH) - 46
Rwanda (RW) - 46
Gabon (GA) - 45
Reunion (RE) - 44
Namibia (NA) - 43
Syria (SY) - 38
Democratic Republic of Congo (CD) - 37
Montenegro (ME) - 36
Mali (ML) - 36
Papua New Guinea (PG) - 33
Zimbabwe (ZW) - 33
Jersey (JE) - 31
Botswana (BW) - 30
Malawi (MW) - 30
Haiti (HT) - 29
Mauritius (MU) - 28
Maldives (MV) - 24
Somalia (SO) - 22
Afghanistan (AF) - 19
Guyana (GY) - 19
Brunei (BN) - 18
Mauritania (MR) - 16
Cabo Verde (CV) - 14
Malta (MT) - 13
Saint Kitts and Nevis (KN) - 13
Bahamas (BS) - 12
Suriname (SR) - 12
Iceland (IS) - 11
Liberia (LR) - 11
Macao (MO) - 10
Andorra (AD) - 9
Barbados (BB) - 9
Belize (BZ) - 9
Fiji (FJ) - 9
Sierra Leone (SL) - 9
Bhutan (BT) - 8
Saint Lucia (LC) - 8
French Guiana (GF) - 7
Guadeloupe (GP) - 7
Guam (GU) - 7
Guinea (GN) - 7
Chad (TD) - 6
Gambia (GM) - 6
Niger (NI) - 6
Timor-Leste (TL) - 6
Curaçao (CW) - 5
French Polynesia (PF) - 4
Lesotho (LS) - 4
Martinique (MQ) - 4
Burundi (BI) - 3
Eswatini (SZ) - 3
Isle of Man (IM) - 3
Liechtenstein (LI) - 3
New Caledonia (NC) - 3
Saint Martin (MF) - 3
San Marino (SM) - 3
Cayman Islands (KY) - 2
Dominica (DM) - 2
Faroe Islands (FO) - 2
Greenland (GL) - 2
Grenada (GD) - 2
Guernsey (GG) - 2
Guinea-Bissau (GW) - 2
Turks and Caicos Islands (TC) - 2
Virgin Islands (VI) - 2
Anguilla (AI) - 1
Antigua and Barbuda (AG) - 1
Bermuda (BM) - 1
Caribbean Netherlands (BQ) - 1
Central African Republic (CF) - 1
Comoros (KM) - 1
Djibouti (DJ) - 1
Kiribati (KI) - 1
Micronesia (FM) - 1
Monaco (MC) - 1
Norfolk Island (NF) - 1
Northern Mariana Islands (MP) - 1
Palau (PW) - 1
South Sudan (SS) - 1
Turkmenistan (TM) - 1
Virgin Islands (VG) - 1

A total of 51671 records were marked as non-unique, which makes the total amount of unique logs of 243186.

So from both record-styles, we can see how members from the Amnesia Team have acted against victims around the world (with an special focus on Russian people), with a total of 306535 unique victims.

Talking about stealers used, a total of 2525 records were tagged as Aurora Stealer logs, 507 as Lumma Stealer, 25254 as Redline and 168502 as Meta logs.

Some requests that were being checked on the log were:
“MONEY”, “PAYPAL”, “AMAZON”, “FACEBOOK”, “BANKS”, “EPICGAMES”, “ROBLOX”, “STEAM”, “GPAY”, “VALORANT”, “FORTNITE”, “EA”, “GENSHIN”, “BLIZZARD”.

There should be more.

If we look now at Cerbeus Team

We can notice other kinds of records styles on their otctyk channel:

  1. Used since February 23th until February 25th

🔈 New logger RECEVIED!!
— — — — — — — — — — — — — — — — — ✂️ — — — — — — — — — — — — — — — — — —
📮 Name: New log
🆔 LogsID:
💻 Host:
📡 IP:
🌐 Geo:
🆔 Hwid:
🍪 Cookies:
🔑 Password:
💳 Credits:
💰 Wallets:
📝 Origin:
🏷 Tags:

English words are translations, original message are russian words

2. Used only at February 25th

💸 Пришел новый лог — 0/00/0000 0:00:00 AM (A new log has arrived)

💊 Стиллер: (Stealer)
🌐 IP:
💽 HWID:
🌎 Страна: (Country Code)

Краткая информация о логе: (Brief information about the log:)
🔐:
🍪:
💳:
🧊:

🔍 Запросы: (Requests:)
Запросы в паролях: (Requests in passwords:)
Запросы в куках: (Requests in cookies:)

Был в системе: (Was in the system?)

  1. Used since February 25th until today (Actual records)

💠 В панели новый лог! (There is a new log in the panel!)

🧛🏻 Билд: (Build)

🌩 Стиллер: (Stealer)
🧬 Крипт: (Crypt)
💢 Был в панели: (Unique?)
🌎 Страна: (Country Code)
🌐 IP:

Информация о логе: (Log information:)
🔐: 🍪: 💳: 🧊:

🔎 Запросы: (Requests:)
Запросы в паролях: (Requests in passwords:)
Запросы в куках: (Requests in cookies:)

We can find a total of 10570 unique victims, mainly from Russia

Find IP summarization here: IP Summarization Results of 10570 IPs — IPinfo.io

Find the full list on here: ProfilingTraffers/cerberus.txt at main · g0njxa/ProfilingTraffers (github.com)

There are 1053 records tagged as META logs, 21324 logs as Rhadamanthys and 3430 tagged as Dracula stealer (aka Samurai) logs… Watch out below for further discussion on these stealers.

Some requests that are being checked on the log are (shown on records): MONEY, PayPal, Amazon, BusFB, GPay, BANKS

~ Workers

There are no records of usernames allegedly supplying logs to the team.

If we look at other team records, these usernames were part of the “Botnet” ID used in stealers (talking about Redline, META or Lumma), that indeed related the actor behind builds and stealer build itself.

The Amnesia Team (or Cerberus) used another kind of Botnet ID in their builds, in this case, the thing that was being used as Botnet ID and was the Telegram ID of the threat actor, in the following format:

TG user ID–Panel ID-Crypter, as an example 1084319778–77906307-alice

  • I really never understood what I consider as Panel ID is, because there is no information available (never seen it) and I had to make my own conclusions… Also, while looking atmor traffers, there were other teams using the same format, and also using the same C2 for their builds, but with another “Panel ID”. Teams such as “SHARK” or “HAUNTED”, now dead, but that will be a story for another blog. Further discussion below.

And tracing an user using his Telegram ID it is supposed to be impossible (without seeing it before), and that's when opsec fails due to bad behaviors in common groups gives us a fresh breath of air. Lovely isn’t it?

User 1084319778 is @ezor2, and a potentially traffer under Amnesia Team (because of the reasons stated before it could be a traffer under other teams but indeed using the same builds as traffers from Amnesia Team)

This way we can expose some traffers, a really small number of them… For example:

5170611868–77906307-easy, as @thornywayy aka @successfulyes

5409138329-IuNhTo8R-packlab, as @DOOBRYA (now deleted)

5938639204–26990097-alice, as @dens222888 aka @Mc_t0rfin

Of course, there are more.

I found no way to find threat actors names working on the Cerberus Team now… This is his actual top-10 contributors to the team

~ Builds

The Cerberus Team now uses “Dracula” (Samurai) Stealer as his main tool to get logs.

I generated a sample from the bot, find it here:

MalwareBazaar | SHA256 ddd48bf86fb56853f8d7ec54bdd9922044f4f6a97aa16c4b1b6da4d162c63f50 (abuse.ch)

C2–195.10.205.74:1953

Detonation: Analysis ddd48bf86fb56853f8d7ec54bdd9922044f4f6a97aa16c4b1b6da4d162c63f50.exe (MD5: ED89AEB1400EA4790B2A62200EE44680) Malicious activity — Interactive analysis ANY.RUN

As always, I got a logs back from sandbox machines. Doing CTI rocks 😎.

Special thanks to @vxremalware and @RussianPanda9xx for their findings :P

More builds found by @ddash_ct, ❤

77acfc8fc96707a04e1045d2c7edd6f3
7acb2d1874c3d1663261983d7c850ac3
e6f3e1b08b73b9206b7bc0ba473194ea
a7872de061abdcdc38d0590f960d760e
0c374c8b2e8cd06a4526a43f47c4da10
2620782023cd97ec0d89947936cebb44
9bc2c030ed4d5fe35be0c27f33cc0e8c
dcafe2bd078f19905edb75a510a02331
efbaf87569c085e2f404075c119b094b
27fa61a41f8804ab3672f4deaa7d85f3
423fce661c49cbb9f7bc9462fbc9741f
4c6d9345b03542e30aff2d9526ad3c94
6f4cdb8d42879f1659c3bdd7b5a2c2e6
84f2a89ec14d7df1591f711cd4c5a25d
863c31b6db4ef959d1da8016f42ee412
a3f464da637b3fd1b5695dc092a03b41
a999633c386e8ff1148b7d6dae7cffea
b25a175ad837b92e6c9ca9ff5d249a71
e73bee5d69b100d6696f3908c933f2cc
ec1d33cacb5c3c048fe3b9fd2ecb8a13

~ Past Telemetry

Talking about Amnesia Team, they used to spread META builds on Youtube and other sites, like true traffers, but with an special focus on Russian content. A simple search on Youtube “скачать бесплатно 2023” could have revealed fake cheat videos sharing Amnesia Team related builds.

The last Amnesia C2 for META builds had a very personalized webpage, publicly reported by @karol_paciorek

https://x.com/karol_paciorek/status/1721516368984461620

C2 — 5.42.65.101

You should be able to find dozens of stealer builds that have a relation on this IP, everyone related to Amnesia or any of the other related teams on the reasons I stated before.

I manually scraped a little bit of app.any.run analysis very old telemetry so you can have a quick overlook,

STEALER,C2,BOTNET,SAMPLE,ANYRUN
REDLINE,5.42.65.36:11552,@dofaminee,,https://app.any.run/tasks/61b19ddf-70fa-492d-a7d0-0064f3a3e9f6/
REDLINE,5.42.65.36:11552,testulya,d1390da1b59947229fc171d380072418,https://app.any.run/tasks/85498d33-fbde-493f-bd16-adab4e78a8c9/
REDLINE,5.42.65.36:11552,@sworeed,,https://app.any.run/tasks/bf2ad879-c82a-44e5-88a1-95bf19e2ba6e/
REDLINE,5.42.65.36:11552,@whitepowerI488,,https://app.any.run/tasks/7ace5ea1-3ec8-4ade-b7c9-c773046321ab/
REDLINE,5.42.65.36:11552,@xw1ts4,,https://app.any.run/tasks/5a05decd-f062-48ad-9e9e-d13a908fb186/
REDLINE,5.42.65.36:11552,@CanGidn,,https://app.any.run/tasks/240f0a3b-a958-4400-88e3-27c333fb42bf/
REDLINE,5.42.65.36:11552,xyesos,294079f8862567a22dc40045de1d9c4c,https://app.any.run/tasks/1c1a5670-2d5c-4fc2-8991-2fd78ddde81a/
REDLINE,5.42.65.36:11552,@tridj123,,https://app.any.run/tasks/1fc87728-3a70-4d6f-b585-71b51e6626d6/
REDLINE,5.42.65.36:11552,DQs6FRIoIBgQM1hR,66e53717dfdbe851f4d200ef11b0d121,https://app.any.run/tasks/6aee7a83-7565-48fa-96b1-4339971480f4/
META,5.42.65.101:48790,1037618451-iqexlm5n-easy,77BA4DE3A0792308D13A1A6C28EE4643,https://app.any.run/tasks/d2898eae-f4fa-425e-a1a7-7705ae510113/
REDLINE,5.42.65.101:40676,1404983927-IX5wZhT8-alice,3DD9FFE9A21DFB02BEECB3AC3F8C63B7,https://app.any.run/tasks/56eb70ac-8ed1-4907-b176-0b9bd4e6f16c/
META,5.42.65.101:48790,1753096510-26990097-easy,0bb538a39510a3876e22b5f5120948f7,https://app.any.run/tasks/84be505a-e5ca-4fba-a5ff-0f834947c643/
META,5.42.65.101:48790,1766734523-26990097-alice,736E37DBFA0A258D6DB1EEA8D6F799A3,https://app.any.run/tasks/ea442077-8c88-4cc1-85ba-fdcc7a85b2d8/
META,5.42.65.101:48790,1766734523-iqexlm5n-alice,8FFA0079F493F0AD99F12855B1B41820,https://app.any.run/tasks/b1287ac6-26bb-4992-8bf1-bd1f607f0999/
META,5.42.65.101:48790,1877120468-26990097-packlab,,https://app.any.run/tasks/163e27a7-e05f-4172-982f-0ffd84eba61d/
META,5.42.65.101:48790,511311928-EwY35cqV-easy,60eb108ffe1bfe2683c971072abde8f0,https://app.any.run/tasks/20489ff0-93bc-47eb-a169-64fecd34a6e1/
META,5.42.65.101:48790,5155609257-26990097-easy,,https://app.any.run/tasks/cbf5a9dc-0042-40b4-9f25-97a2b0e23b0c/
META,5.42.65.101:48790,5558300881-26990097-packlab,95336EBFDF4FB7A4225C27C3723BE4B8,https://app.any.run/tasks/7eec2c26-4ddf-4a15-b9a2-366532442e8a/
META,5.42.65.101:48790,5598138502-26990097-alice,498C9009EF58213AEB91AAEA1B2C2387,https://app.any.run/tasks/657150c3-b9d7-4ad4-b67a-d3e58b180107/
META,5.42.65.101:48790,5699209118-xeT0Z1Iy-easy,71847C1A4F9D14EC19D69636ED2B3051,https://app.any.run/tasks/805916ee-9bf3-4585-8c45-11c2734f8074/
META,5.42.65.101:48790,5794813879-26990097-easy,0E832303AF3834FD10BFE0F161A0918D,https://app.any.run/tasks/63addcb4-39db-4a79-bad1-8cd8b1f77ceb/
META,5.42.65.101:48790,5938639204-26990097-alice,b42b3ffb6af260d65989055be4aa8ace,https://app.any.run/tasks/6aa6a6d9-d87a-43fc-b323-aea74a3f0968/
META,5.42.65.101:48790,6206135118-iqexlm5n-easy,F1F8DE5B4E6984DBF52D278AFD09B377,https://app.any.run/tasks/8fbdfe74-a504-46a6-948f-74c226e11822/
META,5.42.65.101:48790,6208096719-iqexlm5n-easy,BC5270ADB203015DC031E8412F7934CF,https://app.any.run/tasks/fa52a01d-2cc4-4cc7-9600-aee80bb225f9/
META,5.42.65.101:48790,6223070915-26990097-alice,B24659A8FDB459ED3A045D2ACCCE0772,https://app.any.run/tasks/be65c651-c04c-4795-9953-0b22ac65ed42/
META,5.42.65.101:48790,6248014749-26990097-alice,,https://app.any.run/tasks/b58a094d-5766-4e48-86e8-581d0994a73f/
META,5.42.65.101:48790,6314318221-26990097-easy,823ADD1F76EE53424958C4D975BB8104,https://app.any.run/tasks/f7c1a956-a246-4ec7-b0de-3c129b42ee9d/
META,5.42.65.101:48790,6314318221-xeT0Z1Iy-easy,a980bdb5b5e023fe9bb2d879eb2d255b,https://app.any.run/tasks/99a941da-9598-4c55-bd4f-e2c32f0933e2/
REDLINE,5.42.65.101:40676,6342099341-iqexlm5n-easy,882268F91ED47C6CEDD6AD3495E74098,https://app.any.run/tasks/9cd20ffe-33d7-4eec-a241-d09d69ac7687/
REDLINE,5.42.65.101:40676,6342128327-26990097-packlab,db271fe34507c6229439100abf5458f1,https://app.any.run/tasks/f918aabf-1836-4e69-bf8f-b576158ab8ce/
REDLINE,5.42.65.101:40676,6384204194-IX5wZhT8-easy,F658EF56FF9DE13E40AB077774D8CF1D,https://app.any.run/tasks/9133f6c1-b539-496c-8543-41504e6e8400/
META,5.42.65.101:48790,6418378200-26990097-easy,88EA9A904663C79A9D2C34BC41642736,https://app.any.run/tasks/440fd909-d76b-46da-baae-b8ff39583fe9/
META,5.42.65.101:48790,6520197194-EwY35cqV-easy,4AC26ADC3C8FF2775F1EFA7EE2C54353,https://app.any.run/tasks/d1a25e9f-9ae3-4578-b54f-3d11c3a0e11a/
META,5.42.65.101:48790,6578094162-IX5wZhT8-easy,A89D1FA864CF7CF80D7A88CE7085F0CD,https://app.any.run/tasks/32ad1800-5395-425e-b33a-922349d1107c/
META,5.42.65.101:48790,6690508458-32623734-easy,,https://app.any.run/tasks/f0700df9-e0c3-4c7a-a75d-0873e934b4b6/
META,5.42.65.101:48790,678468341-26990097-alice,da60db8b44c8933a44e0e688a273603a,https://app.any.run/tasks/6e079ee7-54e0-4988-8354-d9abe2fa870d/
REDLINE,5.42.65.101:40676,678468341-26990097-alice,2F5A9FE38D66759435144779D31D475B,https://app.any.run/tasks/cc1db30c-d9fa-4368-8f8c-3f2337af3174/
REDLINE,5.42.65.101:40676,678468341-26990097-easy,3d6fec406c5ce7188d864a2a4607ee1e,https://app.any.run/tasks/67efa4e0-a765-44c7-93f3-e0bb0c952024/
META,5.42.65.101:48790,678468341-26990097-packlab,e939e476e256994e9a43324f9effb391,https://app.any.run/tasks/821fbd38-6eff-4482-9a57-beb5393558eb/
META,5.42.65.101:48790,824487508-26990097-easy,,https://app.any.run/tasks/9160b5a1-4aea-4abb-bb81-3a772ac883e6/
META,5.42.65.101:48790,845393882-26990097-alice,B9D47127E97681023FB770EFDB8A6D24,https://app.any.run/tasks/3618813f-2603-4d45-83a5-b4642060dc8d/
META,5.42.65.101:48790,845393882-26990097-easy,D928B84006E3275621D8EDA003616699,https://app.any.run/tasks/67a618c5-9d72-4240-9252-1ddbb63f7ec1/
META,5.42.65.101:48790,864108190-xeT0Z1Iy-easy,1119F08B1CF255578EBEA6B7DC65E529,https://app.any.run/tasks/8caa376f-7b43-4e50-b5b4-071d5b503dc6/
META,5.42.65.101:48790,@maestr0_888,54A4DA77D1BF79F497455C11C47478BC,https://app.any.run/tasks/79a7f810-ddee-4216-99f0-4ab2f1f0acdf/
META,5.42.65.101:48790,824487508-Bk4VUvu5-easy,,https://app.any.run/tasks/cc108b93-9408-4083-9a24-5a452be1526a/
META,5.42.65.101:48790,1768261372-26990097-easy,4ee7c9b2351ce6c7648a95a922a09d19,https://app.any.run/tasks/945f865d-009d-4cd6-8810-ac8f855c9a62/
META,5.42.65.101:48790,678468341-26990097-easy,a3f20325a54ae1042cbbeac6dff7b600,https://app.any.run/tasks/866f4d52-8cae-4adc-b800-74df548a7942/
META,5.42.65.101:48790,5262057541-5EW6ShJf-MANUAL,be8514870cee288f61a73175032e4b82,https://app.any.run/tasks/27194267-1a38-4b55-8aec-eb0197bed822/
META,5.42.65.101:48790,1-5EW6ShJf-MANUAL,c541f710d3e601bc95147cdb0707e742,https://app.any.run/tasks/0841dd16-d7c4-4eb9-aab0-ab5b2c6284be/
META,5.42.65.101:48790,5262057541-5EW6ShJf-easy,2D21FA15042A3FDA41AB59472857BCF1,https://app.any.run/tasks/ee54699c-514c-4bda-b03e-95b6f5072a9f/
REDLINE,5.42.65.101:40676,678468341-26990097-packlab,7c6d12dcd138418691419f9783f8d3bd,https://app.any.run/tasks/04739b2a-8f10-4e3a-9fb4-3a85e35c1799/
REDLINE,5.42.65.101:40676,6220119612-93lhAj6K-alice,42a617525cad4e3aebe3b3f58efd40c3,https://app.any.run/tasks/fddb337c-fff1-4b94-81e8-337e994265cf/
REDLINE,5.42.65.101:40676,6220119612-93lhAj6K-easy,42e1b820fcca3478112e872e29292534,https://app.any.run/tasks/13830dfe-4568-4ce1-828a-2f8c040b7c87/
META,5.42.65.101:48790,824487508-26990097-alice,75D78DEC6B89D63FF10DED8766720EC5,https://app.any.run/tasks/77a461c3-36a6-4ff6-8364-66527c2bd04f/
META,5.42.65.101:48790,1757391299-iqexlm5n-packlab,3D4FBECB84F481942537E3D527246571,https://app.any.run/tasks/2c4edcd5-5b8f-4c52-ab42-4bf6fa7c9167/
REDLINE,5.42.65.101:40676,6297820389-iqexlm5n-easy,439707CC204EDBB4D613934F560AF3B8,https://app.any.run/tasks/e052f15c-c2eb-4a82-a65c-ab29206f754b/
REDLINE,5.42.65.101:40676,5752070708-26990097-easy,6ABD607B239DEFFAF6CB239CB450A689,https://app.any.run/tasks/ec5ee78c-a954-40d6-b18a-0f659dae6164/
META,5.42.65.101:48790,6062198554-iqexlm5n-easy,A81021C8E9013B5280375523E775B7FD,https://app.any.run/tasks/a6e23d4c-ee56-4f09-af2e-938c00529f20/
META,5.42.65.101:48790,969571650-IuNhTo8R-packlab,f3a7fc92daa621568991f1ed8c723d28,https://app.any.run/tasks/0ce21135-ad31-4f94-9fc0-a8a29d693629/
META,5.42.65.101:48790,6236914180-IuNhTo8R-packlab,A8558D6B6D80AF8D991A468BB1B4B2B5,https://app.any.run/tasks/4a1863c0-166b-4cbe-9025-41152091c400/
META,5.42.65.101:48790,6554608714-26990097-alice,308717a99b5cd9701497bfd3e2276309,https://app.any.run/tasks/9966c135-846b-4fc3-9ee5-275252814cfd/
REDLINE,5.42.65.101:40676,5921161238-IuNhTo8R-packlab,1b29fd740423a23136cad3e874103ac7,https://app.any.run/tasks/91dcdaf0-9858-4c1c-8829-454efeb76ff4/
META,5.42.65.101:48790,5921161238-IuNhTo8R-packlab,b596fb6817fb15ee5b1fd13d755b655b,https://app.any.run/tasks/8a21a9a3-5f0c-426b-a70f-46f002a0e6fd/

An alternative C2 used by Amnesia was 37.220.87.13, feel free to take a look!

~ Extra

Rhadamanthys Stealer was used by Cerberus Team to infect thousands of Russian-based victims by these traffers. This was an unusual behavior by this stealer, though they banned activity on CIS countries.

Seems like bad configurations of these stealer made him lose control ver this ban and in fact Rhadamanthys was used in more sorious threats Разбор новой атаки кибершпионов Sticky Werewolf с использованием Rhadamanthys Stealer / Хабр (habr.com)

That led Rhadamanthys to lose forum accounts on XSS and Exploit.

But Rhadamanthys is not dead, let’s wait…

(Not) The end ;)

Expect more content, soon.
Best regards,

@g0njxa

--

--