amadey | a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c | Triage

Submit
Reports

Overview

overview

Static

static

3

winprofile

windows7-x64

winprofile

windows10-1703-x64

Sharing

General

Target

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
Size

1.8MB
Sample

240627-26dfcsxcne
MD5

b60d82b8244e964110f66e7ad34dc37b
SHA1

413eb99c2ab5ea8f43d651b0100e76fc53aeba70
SHA256

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
SHA512

0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4
SSDEEP

49152:+cGpBBa72Cb7j7sMC8uB5cOtr9OwGlFN:61ab33y5c0r9OvL

Score

10^/10

amadey lumma redline smokeloader stealc xmrig 123 e76b71 jopa backdoor discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe

Resource

win7-20231129-en

amadey redline smokeloader xmrig 123 e76b71 backdoor discovery evasion execution infostealer miner persistence spyware stealer trojan upx

windows7-x64

36 signatures

300 seconds

Behavioral task

behavioral2

Sample

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe

Resource

win10-20240404-en

amadey lumma redline stealc 123 e76b71 jopa discovery evasion execution infostealer persistence spyware stealer trojan upx

windows10-1703-x64

32 signatures

300 seconds

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://movlat.com/tmp/

http://llcbc.org/tmp/

http://lindex24.ru/tmp/

http://qeqei.xyz/tmp/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

123

C2

185.215.113.67:40960

Extracted

Family

stealc

Botnet

jopa

C2

http://65.21.175.0

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

lumma

C2

https://harmfullyelobardek.shop/api

Targets

- Target
  
  a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
- Size
  
  1.8MB
- MD5
  
  b60d82b8244e964110f66e7ad34dc37b
- SHA1
  
  413eb99c2ab5ea8f43d651b0100e76fc53aeba70
- SHA256
  
  a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
- SHA512
  
  0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4
- SSDEEP
  
  49152:+cGpBBa72Cb7j7sMC8uB5cOtr9OwGlFN:61ab33y5c0r9OvL
Score

10^/10

amadey redline smokeloader xmrig 123 e76b71 backdoor discovery evasion execution infostealer miner persistence spyware stealer trojan upx lumma stealc jopa
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

amadeyredlinesmokeloaderxmrig123e76b71backdoordiscoveryevasionexecutioninfostealerminerpersistencespywarestealertrojanupx

behavioral2

amadeylummaredlinestealc123e76b71jopadiscoveryevasionexecutioninfostealerpersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy