amadey | 8e52f747699c12d756897c4482703176edf64f09624955ab45c879c5db3aaf8a | Triage

Submit
Reports

Overview

overview

Static

static

3

cryptolaemus

windows10-2004-x64

cryptolaemus

windows11-21h2-x64

Sharing

General

Target

8e52f747699c12d756897c4482703176edf64f09624955ab45c879c5db3aaf8a
Size

1.8MB
Sample

240620-1ra61ssgmk
MD5

6c7e43bbf75184c3057fe13366dab2ae
SHA1

32933ffb55922dead5ea5f798f93b51944333734
SHA256

8e52f747699c12d756897c4482703176edf64f09624955ab45c879c5db3aaf8a
SHA512

5d4775e6939a77c0e30844db174c0188f873565a162bc0def410827d08c4ace03ff513c0c4212b17f837ce561dfca91e9e79675a89d42f7166715c89fa6d772c
SSDEEP

49152:3vnOLQZ7SbOZ4S9dA8XuvpItcfEsv2MokVR2QHCA5Nm6bkXWe:3WLhQ4S9dL+vKtp62Mo+IA5NSXW

Score

10^/10

amadey exelastealer lumma monster redline @logscloudyt_bot e76b71 livetraffic newbild defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller spyware stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8e52f747699c12d756897c4482703176edf64f09624955ab45c879c5db3aaf8a.exe

Resource

win10v2004-20240611-en

amadey exelastealer lumma monster redline @logscloudyt_bot e76b71 livetraffic newbild defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller spyware stealer themida trojan

windows10-2004-x64

49 signatures

150 seconds

Behavioral task

behavioral2

Sample

8e52f747699c12d756897c4482703176edf64f09624955ab45c879c5db3aaf8a.exe

Resource

win11-20240419-en

amadey e76b71 evasion trojan

windows11-21h2-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

C2

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

C2

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

C2

4.185.27.237:13528

Extracted

Family

lumma

C2

https://parallelmercywksoffw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

Targets

- Target
  
  8e52f747699c12d756897c4482703176edf64f09624955ab45c879c5db3aaf8a
- Size
  
  1.8MB
- MD5
  
  6c7e43bbf75184c3057fe13366dab2ae
- SHA1
  
  32933ffb55922dead5ea5f798f93b51944333734
- SHA256
  
  8e52f747699c12d756897c4482703176edf64f09624955ab45c879c5db3aaf8a
- SHA512
  
  5d4775e6939a77c0e30844db174c0188f873565a162bc0def410827d08c4ace03ff513c0c4212b17f837ce561dfca91e9e79675a89d42f7166715c89fa6d772c
- SSDEEP
  
  49152:3vnOLQZ7SbOZ4S9dA8XuvpItcfEsv2MokVR2QHCA5Nm6bkXWe:3WLhQ4S9dL+vKtp62Mo+IA5NSXW
Score

10^/10

amadey exelastealer lumma monster redline @logscloudyt_bot e76b71 livetraffic newbild defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller spyware stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Monster Stealer.
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Monster
  Monster is a Golang stealer that was discovered in 2024.
  stealer monster
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

amadeyexelastealerlummamonsterredline@logscloudyt_bote76b71livetrafficnewbilddefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationpyinstallerspywarestealerthemidatrojan

behavioral2

amadeye76b71evasiontrojan

© 2018-2024

Terms | Privacy