Overview

overview

10

Static

static

1

!@#Setup-P...24.rar

windows11-21h2-x64

10

Resubmissions

06-12-2023 22:51

231206-2ssccshfe2 10

06-12-2023 22:49

231206-2rqgdahfd3 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    !@#Setup-Pa$$W0rd-2024.rar

  • Size

    18.5MB

  • Sample

    231206-2ssccshfe2

  • MD5

    60491f605166919212aa0351ae618381

  • SHA1

    ffe9d28ee4059d07f1fd75a956002f18a1a90ee2

  • SHA256

    334dfd6a7a445f9f9276101e434202f4a044e1f5bbd2bf72a2b8ba7164cfe138

  • SHA512

    6dddb9d63edc10e7d58bb4e9f9a1d52409dcd84127fffcf542492b667277ebaec6fd13bf33d92836a2fc1476daac8dd0f97d73cf094c9f67196c523840cbafc0

  • SSDEEP

    393216:DvYV/q2OHdyVYb7VlVEH+odXdun4eSznP/TTzI+B8TaTw2bcuphX8:jYV6QVYbvVwNdun4Db38+B8eTwoz/M

Score
10/10
amadeylummaxmrigdiscoveryevasionminerspywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    a70b05054314f381be1ab9a5cdc8b250

  • url_paths

    /u6vhSc3PPq/index.php

rc4.plain

Extracted

Family

lumma

C2

http://gatelistcoldyeisa.pw/api

Targets

    • Target

      !@#Setup-Pa$$W0rd-2024/@#Setup-Pa$$W0rd-2024.rar

    • Size

      18.5MB

    • MD5

      0aeb13bb3dd0d2761e3966625faac892

    • SHA1

      a12b4adbb104ca945d248697753b4acbf054f157

    • SHA256

      0a52968fe93ad0cfde0d408dbc7e0a77c54ab01fbcc280dd4a1b3b3897c79fce

    • SHA512

      20de52f3c358735ffedcd068a1ea07d8bc66705e524362bd6c1dd1e81636b7f664b7e9d23239441d98dfcff8cbd48a2a6b0ff3bd0c5cede95acdcefdc407a34e

    • SSDEEP

      393216:ZvYV/q2OHdyVYb7VlVEH+odXdun4eSznP/TTzI+B8TaTw2bcuphXe:BYV6QVYbvVwNdun4Db38+B8eTwoz/O

    Score
    10/10
    amadeylummaxmrigdiscoveryevasionminerspywarestealerthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks