General
-
Target
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
-
Size
1.9MB
-
Sample
240701-fsg1qsxbpc
-
MD5
eaa443f37443cb7221d63e0891243384
-
SHA1
d3242326b2ac1ae6e9817a49df33c3a79e209aee
-
SHA256
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
-
SHA512
8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
-
SSDEEP
49152:6YyPZ96v5ohNyPiYPl5A7E2+P75+Zg6RenX1IAhTiz8wPT:kBSPiYNK7mP91/TOQ
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
newlogs
85.28.47.7:17210
Extracted
stealc
ZOV
http://40.86.87.10
-
url_path
/108e010e8f91c38c.php
Extracted
redline
newbuild
185.215.113.67:40960
Extracted
stealc
jopa
http://65.21.175.0
-
url_path
/108e010e8f91c38c.php
Extracted
redline
LiveTraffoc
4.185.56.82:42687
Extracted
lumma
https://groundsmooors.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Targets
-
-
Target
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
-
Size
1.9MB
-
MD5
eaa443f37443cb7221d63e0891243384
-
SHA1
d3242326b2ac1ae6e9817a49df33c3a79e209aee
-
SHA256
bef6f82a9c4064f8639e804036f460bafdd01eec87a355e247775d315b76db13
-
SHA512
8405c44c1eea8578224eb6495f689d66e4e2f6503c0bf08d3c111e4e307603a35089649296ebf89b76d339c9517a83133b741c655097a9fe319f25aae1f6afdb
-
SSDEEP
49152:6YyPZ96v5ohNyPiYPl5A7E2+P75+Zg6RenX1IAhTiz8wPT:kBSPiYNK7mP91/TOQ
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1