amadey

Sharing

Copy URL

Twitter E-mail

General

Target

archive.zip
Size

12.4MB
Sample

240629-xvzf8stena
MD5

9f3cf8e1497177f3f0eada9ffbfebde0
SHA1

73d976bae33367129ef1e1f613a7f0d17d7aa95e
SHA256

a45ae63ea9a20aecf8c1ae140824ed2f184d1777114ea4d604426bb6c0bff7cc
SHA512

e3979364c8c429f47561ebd8a7d4d80be7479be990408fc613a1d53da78f1d56e38e1be63b9be40a81ae0fb9f1d1b795ffae492e50013c5cc8b8b2dd56607d24
SSDEEP

196608:dPqGIdL+iPu6Y2L82IsJEjA3k25mMXvHnzEsV1nrAQITSQMDy2bDp:dyddi6u32L82pESk255PzEsnJIGQMDx

Malware Config

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

risepro

191.101.209.39

77.105.133.27

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

lumma

https://potterryisiw.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

https://groundsmooors.shop/api

https://foodypannyjsud.shop/api

Targets

- Target
  
  archive/amdhip64.dll
- Size
  
  10.1MB
- MD5
  
  da6bba744ffe35bd63e61ef2824ff15d
- SHA1
  
  54f12b2bc458c72e071cdff727c4a2f7a33d0ab5
- SHA256
  
  66d5725519eec9f0c16696c9bcf32ba3442551f36ec4bdb17e12f6e0d24027c7
- SHA512
  
  74ba3f3c817fb0519b42e7f68ac8d87692e461c1a8529ae86051bbf891350bab05023046da6b69648681e26656624c97bac9707938511190e1dab8afd45ded4a
- SSDEEP
  
  98304:FqFhXse/Y7jUHRRFcwETkorMg/696ffjZMXNDVjCXN2MX2:AXs37juRTcwETkGMUjZMXNDVjCXN2V
Score

1^/10
behavioral1 behavioral2
- Target
  
  archive/concrt140.dll
- Size
  
  309KB
- MD5
  
  31f210ed5c6f2d8faa1d896cda18584b
- SHA1
  
  5444d919f5014fb6bf58cefc6f01088c32a24a00
- SHA256
  
  5393f592cded7bd8ae07b2afc3efdcc4a0b05f7e8e74380a267398266fc02d41
- SHA512
  
  d39aa7acfd982759825b537a9ca5b04e6cdd9c0a28089e0f666ae4b75e84e2e2e58180103da38bea79efe3252cb9f1932efa69b64461cb76173645e8b6ddf3f6
- SSDEEP
  
  6144:Ylm+bq4hSdOec4xWMXdtvo4KbrniIzb7wQjnWzgCE33g:pmP/eJXzvSCzW3g
Score

1^/10
behavioral3 behavioral4
- Target
  
  archive/res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
- Size
  
  114KB
- MD5
  
  a2f3ded45da8870e93e5d2186dab27e8
- SHA1
  
  3f8e0cddecc3827b33ec02cd78d192c18f1ddf82
- SHA256
  
  fc19237a4e9ae65829dbde384ce0de2c78b22d9577384dded9d4cde569a12742
- SHA512
  
  438621491061c7f14f59c48d0d2fdd637a17c058df13417e21d660d81632dbb826a6144032f6f9192ab9bb0afb46b8f6cf3982879dc9942261c2538dbd17187c
- SSDEEP
  
  3072:k6BVH7SBjeSCbupKVfG2yQJ23J+Svsy9k/TukuPMh:zrbKeWmDyQ+13kOPMh
Score

3^/10
behavioral5 behavioral6
- Target
  
  archive/setup.exe
- Size
  
  792.5MB
- MD5
  
  ba080efe457d65936a33e95d834ca631
- SHA1
  
  38809c74840485a543ce6edfcfdc40edccc49363
- SHA256
  
  81fc1a37b9f0c25769846f121cfdd84bc3c11a03d6c32f021e133367f1e62980
- SHA512
  
  d1609c57e2a69e8871872543ddc22bbf9848a7537872ba335006c0936f0c39172ccf1b44ee1a1010e1791e952c2c682eea9a88ee396867658f5e3651885db470
- SSDEEP
  
  98304:vlEjneSvhKnC2P8Xscel5cIjAQrH5Lq1d2ITjeAWY/8J:tCZJKR8velaIjVq1d2oeBl
Score

10^/10

privateloader stealc default discovery evasion execution loader persistence spyware stealer amadey lumma redline risepro 4dd39d logsdiller cloud (tg: @logsdillabot)collection infostealer themida trojan vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies firewall policy service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral7 behavioral8

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Lumma Stealer

Modifies firewall policy service

PrivateLoader

RedLine

RedLine payload

RisePro

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Unexpected DNS network traffic destination

VMProtect packed file

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Drops Chrome extension

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Power Settings

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8